1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

computer going mad

Discussion in 'Windows XP' started by vinnyb1956, Oct 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. vinnyb1956

    vinnyb1956 Thread Starter

    Joined:
    Feb 13, 2003
    Messages:
    35
    i hear the hard drive crunching then the mouse goes mad,opens programs closes the internet, or sometimes opens m/soft excel and pastes the webpage to it, it`s random , there are no viruses on my computer,please help aargh!!!
     
  2. hannas

    hannas

    Joined:
    Sep 28, 2003
    Messages:
    31
    Get adaware (if you havent already got it) and update it, then scan with it and then a virus check with housecall (even though your vpp may say all is clean)

    get adaware from here

    do your housecall scan here

    After you have done those things get hijackthis, do a scan, copy the results and paste them up here for someone to look at and they will tell you what to do from there

    get hijackthis from here
     
  3. vinnyb1956

    vinnyb1956 Thread Starter

    Joined:
    Feb 13, 2003
    Messages:
    35
    here`s the results of the action you requested
    thanks


    Logfile of HijackThis v1.97.3
    Scan saved at 18:26:16, on 20/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    F:\Norman\NVC\BIN\Zanda.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\Save\Save.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\WINDOWS\System32\rundll32.exe
    F:\NORMAN\Nvc\BIN\nvcoas.exe
    F:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    F:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem215.dll
    O2 - BHO: (no name) - {c0aa333a-4d46-4aba-a5fc-751b707c94bd} - C:\DOCUME~1\vincent\APPLIC~1\auchjouey.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DBFC-ED1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0rbi.dll
    O3 - Toolbar: zstvjdrlltr - {9009d3dd-e362-40e1-8d3d-72cf8edb99fb} - C:\DOCUME~1\vincent\APPLIC~1\auchjouey.dll
    O3 - Toolbar: Ask Jeeves Bar - {43D9E6F0-1776-4897-AE14-ECEDECBAFEC0} - C:\WINDOWS\System32\askbarAB.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\System32\EXPLORER.EXE
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: Ask Jeeves Search - javascript:external.menuArguments.location.href="javascript:AskBarcommand='cmd-search-selection'"
    O8 - Extra context menu item: Dictionary Search - javascript:external.menuArguments.location.href="javascript:AskBarcommand='cmd-search-selection-word'"
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {29D91500-F352-4523-8FF5-6CA1E71690A7} - http://www.myfreecursors.com/cursors/flying_pig.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
    O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/internetwasherpro.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...com/opistat/activex/opinstall_en_4.1.0.18.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37652.321099537
    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k21122.find-quick.com
    O17 - HKLM\Software\..\Telephony: DomainName = k21122.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3946AF52-689A-4612-A6AD-056A13067E5F}: Domain = k21122.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3F302E3F-FDF1-4EDC-A904-DB9110126256}: Domain = k21122.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9529AA9D-939F-4749-8C66-8F36E4E08F0B}: NameServer = 212.67.120.148 212.67.96.129
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k21122.find-quick.com
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Its a bit of a mess.........Give me a few minutes to take a look.....

    1st thing,go to add/remove programs and uninstall "newdotnet" if theres an entry for it.
    ;)
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    02 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem215.dll
    O2 - BHO: (no name) - {c0aa333a-4d46-4aba-a5fc-751b707c94bd} - C:\DOCUME~1\vincent\APPLIC~1\auchjouey.dll
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DBFC-ED1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0rbi.dll
    O3 - Toolbar: zstvjdrlltr - {9009d3dd-e362-40e1-8d3d-72cf8edb99fb} - C:\DOCUME~1\vincent\APPLIC~1\auchjouey.dll
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\System32\EXPLORER.EXE
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing
    O16 - DPF: {29D91500-F352-4523-8FF5-6CA1E71690A7} - http://www.myfreecursors.com/cursors/flying_pig.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} (AJ Installer Control) - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
    O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k21122.find-quick.com
    O17 - HKLM\Software\..\Telephony: DomainName = k21122.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3946AF52-689A-4612-A6AD-056A13067E5F}: Domain = k21122.find-quick.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3F302E3F-FDF1-4EDC-A904-DB9110126256}: Domain = k21122.find-quick.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k21122.find-quick.com

    Re-boot into safe mode and delete:
    C:\PROGRA~1\Save [ENTIRE FOLDER]
    C:\WINDOWS\System32\P2P Networking [ENTIRE FOLDER]
    C:\Program Files\MyWebSearch [ENTIRE FOLDER]


    This next one.
    C:\WINDOWS\System32\EXPLORER.EXE
    NOTE: The genuine explorer.exe is in the windows folder.

    To fix this item:

    O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing

    Download LSPfix here: http://www.cexx.org/lspfix.htm
    Launch the application, and click the "I know what I'm doing" checkbox.
    This is the dll in question 'nmtracer.dll'

    Reboot into normal mode and post another logfile.

    ;)
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    vinnyb1956

    It sounds like you may have a hard drive going south on you. However, you do have some things that need removing. Let's get rid of the spyware/malware and see if it helps any.

    The first thing you need to do is get rid of Kazaa. It is full of spyware and the source of maky problems. If you must have a p2p app I will be happy to direct you to Kazaalite when we are finished here. Kazaalite is the same as Kazaa without the spyware.

    First go to Add/Remove programs and uninstall Kazaa and New.Net if it is there.

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll

    O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL

    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem215.dll

    O2 - BHO: (no name) - {c0aa333a-4d46-4aba-a5fc-751b707c94bd} - C:\DOCUME~1\vincent\APPLIC~1\auchjouey.dll

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll

    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DBFC-ED1CA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrs0rbi.dll

    O3 - Toolbar: zstvjdrlltr - {9009d3dd-e362-40e1-8d3d-72cf8edb99fb} - C:\DOCUME~1\vincent\APPLIC~1\auchjouey.dll

    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\System32\EXPLORER.EXE

    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    O10 - Hijacked Internet access by New.Net

    O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

    O16 - DPF: {29D91500-F352-4523-8FF5-6CA1E71690A7} - http://www.myfreecursors.com/cursors/flying_pig.cab

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab

    O16 - DPF: {FC87A650-207D-4392-A6A1-82ADBC56FA64} (MultiDist) - http://xbs.mtree.com/mt/dialers/fc/MultiDistFC.CAB

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = k21122.find-quick.com

    O17 - HKLM\Software\..\Telephony: DomainName = k21122.find-quick.com

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3946AF52-689A-4612-A6AD-056A13067E5F}: Domain = k21122.find-quick.com

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3F302E3F-FDF1-4EDC-A904-DB9110126256}: Domain = k21122.find-quick.com

    O17 - HKLM\System\CCS\Services\Tcpip\..\{9529AA9D-939F-4749-8C66-8F36E4E08F0B}: NameServer = 212.67.120.148 212.67.96.129

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = k21122.find-quick.com

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The C:\Program Files\MySearch folder
    The C:\WINDOWS\System32\P2P Networking folder
    The C:\Program files\Save folder
    The C:\WINDOWS\System32\EXPLORER.EXE
    Note Do NOT delete the Explorer.exe file that is in C:\Windows which is a valid windows file. Delete the one in C:\WINDOWS\System32.

    Now download LSPfix here: http://www.cexx.org/lspfix.htm

    Launch the application, and click the "I know what I'm doing" checkbox.

    Check all instances of' nmtracer.dll (and nothing else) , and move them to the "Remove" pane.
    Then click Finish.

    Now start your computer in Safe Mode, and find and delete the file itself
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    And second opinions are also welcomed:D
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    $teve you beat me to it. :)

    Oh well it never hurts to have a second opinion. (y)
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Exactly(y)
     
  10. vinnyb1956

    vinnyb1956 Thread Starter

    Joined:
    Feb 13, 2003
    Messages:
    35
    $teve
    here`s the new log file,i`ll have 2 leave it 4 today,have 2 go to bed now i`m up at 0115 for work,oh the joys of being a train driver
    thanks




    Logfile of HijackThis v1.97.3
    Scan saved at 20:28:21, on 20/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    F:\Norman\NVC\BIN\Zanda.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\PCBoost\PCBoost.exe
    C:\WINDOWS\System32\rundll32.exe
    F:\NORMAN\Nvc\BIN\nvcoas.exe
    F:\NORMAN\Nvc\BIN\NVCSCHED.EXE
    F:\NORMAN\Nvc\BIN\NJEEVES.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe

    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [PCBoost] "C:\Program Files\PCBoost\PCBoost.exe"
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager.egg.com/activex/accounttracking.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecret.com/inst/PEInstaller.exe
    O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/internetwasherpro.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...com/opistat/activex/opinstall_en_4.1.0.18.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37652.321099537
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9529AA9D-939F-4749-8C66-8F36E4E08F0B}: NameServer = 212.67.120.148 212.67.96.129
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    You stil have a few left over.
    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"


    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem214.dll

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} (loader Class) - http://dload.ipbill.com/del/loader.cab

    Check the link at the bottom of my post for info on how to help stop getting re-infected.

    ;)
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/173260

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice