1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Expert help needed!!!

Discussion in 'Virus & Other Malware Removal' started by ruttinstag, Sep 18, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    Hi guys, as i know nothing about computers i was hoping someone could help me with the removal of this pesky toolbar that keeps popping up on EVERYTHING i open and changing my homepage to something different everytime even though i keep changing it back................it's doing my head in!!!

    Thanks in advance, Ruttinstag
     
  2. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    having read through a couple of other peoples problems i noticed everyone was using hijackthis............so here's the log file if it helps

    Logfile of HijackThis v1.97.7
    Scan saved at 18:38:04, on 18/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\RoamMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
    C:\Program Files\BenQ\QMedia Center\PCMService.exe
    C:\Program Files\BenQ\QMusic2\QMAgent.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Hez\Local Settings\Temporary Internet Files\Content.IE5\GXAB0TQV\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Hez\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Hez\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Hez\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Hez\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Hez\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Hez\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1A4862FD-9C09-496D-BCC5-B8AE43AD097B} - C:\WINDOWS\System32\msdoh.dll
    O2 - BHO: (no name) - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Neo Toolbar - {722E8B26-1C44-460F-88BB-50C82B20E30E} - C:\WINDOWS\System32\msqsb.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\BenQ\QMedia Center\PCMService.exe"
    O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
    O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
    O4 - HKLM\..\Run: [AceAgent] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\csp.exe
    O4 - HKLM\..\Run: [QMessenger] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\QMessenger.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.50.173.250/othersearch.chm::/othersearch.exe
    O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\path.mht!http://64.200.26.76/d1/arctal.chm::/AWM123.exe
     
  3. Saga Lout

    Saga Lout

    Joined:
    Sep 15, 2004
    Messages:
    3,791
    I don't see an easier way to stop this than by going through all those Registry keys which link to this site and editing it out of each. Do this with System Restore turned off and if you feel safer backing up the Registry first, create a directory and anme it - anything you like - then go to C:\WINDOWS\STSTEM32 and copy Config to that directory you made. That takes care of most of the keys but you also need to back up H_KEYCU and you find this in C:\Docs & Settings\User (Your name) and copy NTUSER.DAT and NTUSER.DAT.LOG.

    Now youo have this backed up, find those entries in the Registry and delete them. Key in the word "newsearch" (without the quotes) in the Find facility of the Edit menu, delete one at a time and use F3 to find the next one.
     
  4. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    Hi guys, I've got a problem with the neo toolbar, i've actually removed the toolbar but my hompage keeps re-setting to something else than what i want, then it downloads some **** onto my desktop which appears as an application when i delete it, it reappears again when i open a browser. Also there's a notepad file on my hard drive called inst_debug which i can't seem to remove, is this something to do with the problem? I've ran hijackthis and this is the log file:

    Logfile of HijackThis v1.97.7
    Scan saved at 11:25:22, on 19/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\RoamMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
    C:\Program Files\BenQ\QMedia Center\PCMService.exe
    C:\Program Files\BenQ\QMusic2\QMAgent.exe
    C:\Program Files\BenQ\Q-MediaBar\QBar.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Hez\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\BenQ\QMedia Center\PCMService.exe"
    O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
    O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
    O4 - HKLM\..\Run: [AceAgent] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\csp.exe
    O4 - HKLM\..\Run: [QMessenger] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\QMessenger.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)


    Please can someone help me remove this **** off my computer :( :( :(
     
  5. etaf

    etaf Moderator

    Joined:
    Oct 2, 2003
    Messages:
    65,294
    First Name:
    Wayne
  6. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    Thanks for the info, i downloaded the latest version of hijack and here is the scan log:


    Logfile of HijackThis v1.98.2
    Scan saved at 14:39:41, on 19/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\GEARSEC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\RoamMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\System32\pctspk.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
    C:\Program Files\BenQ\QMedia Center\PCMService.exe
    C:\Program Files\BenQ\QMusic2\QMAgent.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Hez\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\BenQ\QMedia Center\PCMService.exe"
    O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
    O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
    O4 - HKLM\..\Run: [AceAgent] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\csp.exe
    O4 - HKLM\..\Run: [QMessenger] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\QMessenger.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PowerReg Scheduler V3.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O18 - Filter: text/html - {12F15728-9E13-4DAD-87F2-A52D87BC4F3C} - C:\WINDOWS\System32\msdoh.dll
    O18 - Filter: text/plain - {12F15728-9E13-4DAD-87F2-A52D87BC4F3C} - C:\WINDOWS\System32\msdoh.dll


    that is the full scan log, hopefully someone can help :confused:
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,837
    I have merged both of your threads together as I saw something in the log in the other thread that didn't show in the one here.

    Download this: http://downloads.subratam.org/FINDnFIX.exe
    Extract it (it should autoextract to C:\FindnFix when you double click it)

    Go to the C:\FindnFix folder and doubleclick on !LOG!.BAT and let it run. It will generate a log.txt file. Copy and paste the log.txt back here in your next reply.

    Anyone else with a similar problem, do NOT attempt to follow these instructions on your own. Expert help is required to interpret the log and deleting the wrong file can cause serious damage to your system!
     
  8. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    Thanks, here's the log:

    Sun 19 Sep 04 15:39:55

    »»»»»»»»»»»»»»»»»»***LOG!***(*updated *9/1*)»»»»»»»»»»»»»»»»

    *System:
    Microsoft Windows XP Home Edition 5.1 Service Pack 1 (Build 2600)
    *IE version:
    6.0.2800.1106 SP1

    The type of the file system is FAT32.


    MS-DOS Version 5.00.500

    *command.com test passed!

    __________________________________
    !!*Creating backups...!!

    The operation completed successfully
    15:39:54.72 19/09/2004
    __________________________________

    *Local time:
    19 September 2004 (19/09/2004)
    15:39, GMT Standard Time
    *Uptime:
    15:39:55 up 0 days, 1:05:56

    *Path:
    C:\FINDnFIX
    ----------------------------------------------------
    »»Member of...: ("ADMIN" logon + group match required!)

    User is a member of group BENQ-CN42VWNEMQ\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group \LOCAL.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Group BUILTIN\Administrators matches list.
    Group BUILTIN\Users matches list.

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    User: [BENQ-CN42VWNEMQ\Hez], is a member of:

    BUILTIN\Administrators
    \Everyone

    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINDOWS
    Logon Domain is BENQ-CN42VWNEMQ
    Administrator's Name is Hez
    Computer Name is BENQ-CN42VWNEMQ
    LOGON SERVER is \\BENQ-CN42VWNEMQ

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided and registry scan should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

    ______________________________________________________________________________
    ***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
    ______________________________________________________________________________

    ......Scanning for file(s)...
    *Note! The list(s) may include legitimate files!
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»»»» (*1*) »»»»» .........
    »»Read access error(s)...


    »»»»» (*2*) »»»»»........

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(*5*)»»»»»

    »»»»»(*6*)»»»»»

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...
    *List of files and specs according to 'size' :
    *Note: Not all files listed here are infected, but *may include* the
    name and spces of the offending file...
    ___________________________________________________________________________
    Path: C:\WINDOWS\SYSTEM32 Including: *.DLL


    ____________________________________________________________________________
    *By size and date...


    No matches found.

    No matches found.

    No matches found.

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


    BHO search and other files...



    No matches found.

    No matches found.

    *sp.html found in temp folder:
    --a-- - - - - - 7,978 09-18-2004 sp.html
    File: <C:\DOCUME~1\Hez\LOCALS~1\Temp\sp.html>

    CRC-32 : 5032C23F

    MD5 : FF040545 640D855A 9AD71701 3636DA7B




    *Filter keys search...
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
    CLSID = {12F15728-9E13-4DAD-87F2-A52D87BC4F3C}

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
    CLSID = {12F15728-9E13-4DAD-87F2-A52D87BC4F3C}

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Checking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value Matches
    ________________________________

    »»Comparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    No differences found.

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs =
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Performing string scan....
    00001150: vk f AppInit_DLLs G
    00001190: h vk UDeviceNotSelectedTimeout 1 5
    000011D0: ( 9 0 =t vk ' zGDIProcessHandle
    00001210:Quota" vk 8 Spooler2 y e s _ h
    00001250: ` vk 5swapdisk vk
    00001290: . TransmissionRetryTimeout h `
    000012D0: vk ' 2 USERProcessHandleQuota%
    00001310:
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLs֍æG
    --------------
    --------------
    $01180: AppInit_DLLs
    $011AF: UDeviceNotSelectedTimeout
    $011FF: zGDIProcessHandleQuota
    $01298: TransmissionRetryTimeout
    $012E8: USERProcessHandleQuota
    --------------
    --------------
    No strings found.

    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    .............
    -----------------------

    »»»»»»Backups list...»»»»»»
    15:41:20 up 0 days, 1:07:21
    -----------------------
    Sun 19 Sep 04 15:41:20


    C:\FINDNFIX\
    keyback.hiv Sun 19 Sep 2004 15:39:56 A.... 8,192 8.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 8,192 bytes 8.00 K

    C:\FINDNFIX\KEYS1\
    winkey.reg Sun 19 Sep 2004 15:39:56 A.... 287 0.28 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 287 bytes 0.28 K

    *Temp backups...

    "C:\Documents and Settings\Hez\Local Settings\Temp\Backs2\"
    keyback2.hi_ 19 Sep 2004 8192 "keyback2.hi_"
    winkey2.re_ 19 Sep 2004 287 "winkey2.re_"

    2 items found: 2 files, 0 directories.
    Total of file sizes: 8,479 bytes 8.28 K
    -D---- JUNKXXX 00000000 15:39.56 19/09/2004
    A----- STARTIT .BAT 00000060 15:39.56 19/09/2004

    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    »»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»
    -----END------
    Sun 19 Sep 04 15:41:21
    




    hope you can make sense of it, cos i certainly can't :)
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,837
    Please download and run the following programs:

    CWSHREDDER

    http://www.majorgeeks.com/download4086.html

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer.

    IMPORTANT! To help prevent this from happening again, you should install all the Microsoft security patches and critical updates.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.

    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
     
  10. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    Sorry for the delay in the reply but my laptop couldn't connect to the internet using my wireless router as it locked up half way through installing the windows updates, anyway thats another story but here's the log file after doing everything you said, i really appreciate the effort your putting in to help me by the way (y) :)



    Mon 20 Sep 04 00:26:56

    »»»»»»»»»»»»»»»»»»***LOG!***(*updated *9/1*)»»»»»»»»»»»»»»»»

    *System:
    Microsoft Windows XP Home Edition 5.1 Service Pack 2 (Build 2600)
    *IE version:
    6.0.2900.2180 SP2

    The type of the file system is FAT32.


    MS-DOS Version 5.00.500

    *command.com test passed!

    __________________________________
    !!*Creating backups...!!
    (*Backup already exist!)
    0:26:55.78 20/09/2004
    __________________________________

    *Local time:
    20 September 2004 (20/09/2004)
    00:26, GMT Standard Time
    *Uptime:
    00:26:57 up 0 days, 0:05:14

    *Path:
    C:\FINDnFIX
    ----------------------------------------------------
    »»Member of...: ("ADMIN" logon + group match required!)

    User is a member of group BENQ-CN42VWNEMQ\None.
    User is a member of group \Everyone.
    User is a member of group BUILTIN\Administrators.
    User is a member of group BUILTIN\Users.
    User is a member of group NT AUTHORITY\INTERACTIVE.
    User is a member of group NT AUTHORITY\Authenticated Users.
    User is a member of group \LOCAL.
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    Group BUILTIN\Administrators matches list.
    Group BUILTIN\Users matches list.

    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    User: [BENQ-CN42VWNEMQ\Hez], is a member of:

    BUILTIN\Administrators
    \Everyone

    Running in WORKSTATION MODE.

    SystemDrive is C:
    SystemRoot is C:\WINDOWS
    Logon Domain is BENQ-CN42VWNEMQ
    Administrator's Name is Hez
    Computer Name is BENQ-CN42VWNEMQ
    LOGON SERVER is \\BENQ-CN42VWNEMQ

    »»»»»»»»»»»»»»»»»»*** Note! ***»»»»»»»»»»»»»»»»
    The list will produce a small database of files that will match certain criteria.
    Ex: read only files, s/h files, last modified date. size, etc.
    The filters provided and registry scan should match the
    corresponding file(s) listed.
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Unless the file match the entire criteria, it should not be pointed to remove
    without attempting to confirm it's nature!
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    At times there could be several (legit) files flagged, and/or duplicate culprit file(s)!
    If in doubt, always search the file(s) and properties according to criteria!

    The file(s) found should be moved to \FINDnFIX\"junkxxx" Subfolder

    ______________________________________________________________________________
    ***YOU NEED TO DISABLE YOUR ACTIVE ANTI VIRUS PROTECTION TO AVOID CONFLICTS!***
    ______________________________________________________________________________

    ......Scanning for file(s)...
    *Note! The list(s) may include legitimate files!
    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»

    »»»»» (*1*) »»»»» .........
    »»Read access error(s)...


    »»»»» (*2*) »»»»»........

    »»»»» (*3*) »»»»»........

    No matches found.

    unknown/hidden files...

    No matches found.

    »»»»» (*4*) »»»»».........
    Sniffing..........
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    SNiF 1.34 statistics

    Matching files : 0 Amount in bytes : 0
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»»»(*5*)»»»»»

    »»»»»(*6*)»»»»»

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»»»»Search by size...
    *List of files and specs according to 'size' :
    *Note: Not all files listed here are infected, but *may include* the
    name and spces of the offending file...
    ___________________________________________________________________________
    Path: C:\WINDOWS\SYSTEM32 Including: *.DLL

    227. Dpwsockx Dll 57,344 . . . . A 8-04-04 8:56 am
    631. Msasn1 Dll 57,344 . . . . A 8-04-04 8:56 am
    199. Dmloader Dll 35,840 . . . . A 8-04-04 8:56 am
    364. Imgutil Dll 35,840 . . . . A 8-04-04 8:56 am
    1091. Umandlg Dll 35,840 . . . . A 8-04-04 8:56 am
    223. Dpvacm Dll 21,504 . . . . A 8-04-04 8:56 am
    274. Feclient Dll 21,504 . . . . A 8-04-04 8:56 am
    317. Hidserv Dll 21,504 . . . . A 8-04-04 8:56 am

    ____________________________________________________________________________
    *By size and date...


    C:\WINDOWS\SYSTEM32\
    dpwsockx.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K
    msasn1.dll Wed 4 Aug 2004 8:56:42 A.... 57,344 56.00 K

    2 items found: 2 files, 0 directories.
    Total of file sizes: 114,688 bytes 112.00 K

    C:\WINDOWS\SYSTEM32\
    dmloader.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K
    umandlg.dll Wed 4 Aug 2004 8:56:46 A.... 35,840 35.00 K
    imgutil.dll Wed 4 Aug 2004 8:56:42 A.... 35,840 35.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 107,520 bytes 105.00 K

    C:\WINDOWS\SYSTEM32\
    feclient.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K
    dpvacm.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K
    hidserv.dll Wed 4 Aug 2004 8:56:42 A.... 21,504 21.00 K

    3 items found: 3 files, 0 directories.
    Total of file sizes: 64,512 bytes 63.00 K

    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DPWSOCKX.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\MSASN1.DLL
    SNiF 1.34 statistics

    Matching files : 2 Amount in bytes : 114688
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\DMLOADER.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\UMANDLG.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\IMGUTIL.DLL
    SNiF 1.34 statistics

    Matching files : 3 Amount in bytes : 107520
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL
    Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

    Sniffed -> C:\WINDOWS\SYSTEM32\FECLIENT.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\DPVACM.DLL
    Sniffed -> C:\WINDOWS\SYSTEM32\HIDSERV.DLL
    SNiF 1.34 statistics

    Matching files : 3 Amount in bytes : 64512
    Directories searched : 1 Commands executed : 0

    Masks sniffed for: *.DLL

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»


    BHO search and other files...



    No matches found.

    "C:\WINDOWS\system32\"
    rtipxmib.dll 4 Aug 2004 31744 "rtipxmib.dll"

    1 item found: 1 file, 0 directories.
    Total of file sizes: 31,744 bytes 31.00 K

    --*sp.html in temp folder was NOT FOUND!--

    *Filter keys search...
    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html' (2)

    --(*text/html Subkey was NOT FOUND!)--

    REGDMP: Unable to open key 'HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain' (2)

    --(*text/plain Subkey was NOT FOUND!)--

    »»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»
    »»Size of Windows key:
    (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

    Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

    »»Checking for AppInit_DLLs (empty) value...
    ________________________________
    !"AppInit_DLLs"=""!

    Value Matches
    ________________________________

    »»Comparing *saved* key with *original*...

    REGDIFF 2.1 - Freeware written by Gerson Kurz (http://www.p-nand-q.com)

    Comparing File #1 (Keys1\winkey.reg) with File #2 (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows).

    No differences found.

    »»Dumping Values........
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs =
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk =
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710

    »»Security settings for 'Windows' key:


    RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
    Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
    This program is Freeware, use it on your own risk!

    Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    (ID-NI) ALLOW Read BUILTIN\Users
    (ID-IO) ALLOW Read BUILTIN\Users
    (ID-NI) ALLOW Full access BUILTIN\Administrators
    (ID-IO) ALLOW Full access BUILTIN\Administrators
    (ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
    (ID-IO) ALLOW Full access CREATOR OWNER

    Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
    Read BUILTIN\Users
    Full access BUILTIN\Administrators
    Full access NT AUTHORITY\SYSTEM



    »»Performing string scan....
    00001150: vk f AppInit_DLLs G
    00001190: h vk UDeviceNotSelectedTimeout 1 5
    000011D0: ( 9 0 =t vk ' zGDIProcessHandle
    00001210:Quota" vk 8 Spooler2 y e s _ h
    00001250: ` vk 5swapdisk vk
    00001290: . TransmissionRetryTimeout h `
    000012D0: vk ' 2 USERProcessHandleQuota%
    00001310:
    00001350:
    00001390:
    000013D0:
    00001410:
    00001450:
    00001490:
    000014D0:
    00001510:
    00001550:
    00001590:
    000015D0:

    ---------- WIN.TXT
    fùAppInit_DLLs֍æG
    --------------
    --------------
    $01180: AppInit_DLLs
    $011AF: UDeviceNotSelectedTimeout
    $011FF: zGDIProcessHandleQuota
    $01298: TransmissionRetryTimeout
    $012E8: USERProcessHandleQuota
    --------------
    --------------
    No strings found.

    --------------
    --------------
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""
    "DeviceNotSelectedTimeout"="15"
    "GDIProcessHandleQuota"=dword:00002710
    "Spooler"="yes"
    "swapdisk"=""
    "TransmissionRetryTimeout"="90"
    "USERProcessHandleQuota"=dword:00002710

    .............
    A handle was successfully obtained for the
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
    This key has 0 subkeys.
    The AppInitDLLs value exists and reports as 2 bytes, including the 2 for string termination.

    [AppInitDLLs]
    Ansi string : ""
    0000 00 00 | ..
    -----------------------

    »»»»»»Backups list...»»»»»»
    00:28:26 up 0 days, 0:06:42
    -----------------------
    Mon 20 Sep 04 00:28:26


    C:\FINDNFIX\
    keyback.hiv Sun 19 Sep 2004 15:39:56 A.... 8,192 8.00 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 8,192 bytes 8.00 K

    C:\FINDNFIX\KEYS1\
    winkey.reg Sun 19 Sep 2004 15:39:56 A.... 287 0.28 K

    1 item found: 1 file, 0 directories.
    Total of file sizes: 287 bytes 0.28 K

    *Temp backups...

    "C:\Documents and Settings\Hez\Local Settings\Temp\Backs2\"
    keyback2.hi_ 19 Sep 2004 8192 "keyback2.hi_"
    winkey2.re_ 19 Sep 2004 287 "winkey2.re_"

    2 items found: 2 files, 0 directories.
    Total of file sizes: 8,479 bytes 8.28 K
    -D---- JUNKXXX 00000000 15:39.56 19/09/2004
    A----- STARTIT .BAT 00000060 00:26.56 20/09/2004

    ________________________________________________________________________________
    ***THE FIX IS NOT COMPATIBLE WITH EARLIER;UNPATCHED VERSIONS OF WIN2K'(SP3 and BELLOW)'
    AND/OR LAX OF SECURITY UPDATES AND SERVICE PACKS FOR ALL PLATFORMS!
    MINIMAL REQUIREMENTS INCLUDE:
    _________XP HOME/PRO; SP1; IE6/SP1
    _________2K/SP4; IE6/SP1
    ________________________________________________________________________________
    »»»»»*** www10.brinkster.com/expl0iter/freeatlast/FNF/ ***»»»»»
    -----END------
    Mon 20 Sep 04 00:28:26
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,837
    I'm sorry, I should have been more specific. It's a Hijack This log that I need to see now please.
     
  12. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    okey dokey here's the hijack log:

    Logfile of HijackThis v1.98.2
    Scan saved at 01:24:28, on 20/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\RoamMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
    C:\Program Files\BenQ\QMusic2\QMAgent.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Hez\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.179.61/search/se.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.179.61/search/se.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.179.61/search/se.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.179.61/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.179.61/search/se.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.179.61/search/se.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.179.61/search/se.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.179.61/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.179.61/search/se.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.179.61/search/se.html
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\BenQ\QMedia Center\PCMService.exe"
    O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
    O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
    O4 - HKLM\..\Run: [AceAgent] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\csp.exe
    O4 - HKLM\..\Run: [QMessenger] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\QMessenger.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\RunServices: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
    O4 - Startup: PowerReg Scheduler V3.exe
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:MAIN.MHT!http://69.50.179.61///search/1/user.chm::/user.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C43DB098-38F3-44AF-B840-6A1A9B312296}: NameServer = 195.92.195.94 195.92.195.95
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,837
    Turn off system restore. On the desktop, right-click on My Computer, click properties, click system restore tab, check turn off system restore, click apply and then OK. Restart your computer. Once your system is clean you will turn it back on and create a new restore point.

    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    O4 - HKLM\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe

    O4 - HKLM\..\RunServices: [Windows OLE Automation Server]
    C:\WINDOWS\system32\ole32aut.vbe

    O4 - HKCU\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe

    O4 - Startup: PowerReg Scheduler V3.exe

    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:MAIN.MHT!http://69.50.179.61///search/1/user.chm::/user.exe


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\WINDOWS\system32\ole32aut.vbe - file

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK".

    Then reboot and post another log please.
     
  14. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    thanks again, here's the new log:

    Logfile of HijackThis v1.98.2
    Scan saved at 10:03:53, on 20/09/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\RoamMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
    C:\Program Files\BenQ\QMedia Center\PCMService.exe
    C:\Program Files\BenQ\QMusic2\QMAgent.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
    C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Hez\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://other.thenewsearch.com/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://other.thenewsearch.com/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://other.thenewsearch.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://other.thenewsearch.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\BenQ\QMedia Center\PCMService.exe"
    O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
    O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe"
    O4 - HKLM\..\Run: [AceAgent] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\csp.exe
    O4 - HKLM\..\Run: [QMessenger] C:\Program Files\BenQ\BenQ JoyFamily SmartManager\QMessenger.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~2\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C43DB098-38F3-44AF-B840-6A1A9B312296}: NameServer = 195.92.195.94 195.92.19
     
  15. ruttinstag

    ruttinstag Thread Starter

    Joined:
    Sep 18, 2004
    Messages:
    146
    Also everytime i go to log on (at the windows start up screen) theres a message under my account that says there's 5 new mail messages even though there aren't any in outlook express, is there any way of removing them? When i log on a message appears everytime saying that there's a problem with gearsec and asks if i want to send an error report to microsoft, i don't know what gearsec is or does but is there any way of stopping this?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/275684

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice