1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP! So many problems with my computer!

Discussion in 'Virus & Other Malware Removal' started by lfcbookie, Feb 2, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Hi everyone,

    Just recently my laptop has been very problematic.

    Firstly, i found my homepage kept resetting to an 'nws search engine' and i keep randomly getting similar sites pop up unwanted!

    Since then, ive found my computer becoming slow, having repeated 'internet explorer has encountered an error..' all over the place.

    Now i also seem to have no sound output for anything. I dont know if all these things are related but something is obviously wrong.

    I dont know anything much at all about computers so i really need some help to sort this out! :confused:

    Ive read some other threads which seem to have similar problems as mine and have come across 'hijack this' quite alot. Do i need this?

    I downloaded it from a link i found on these forums but when i tried to run a scan, it encountered an error which doesnt go away unless i ctrl, alt, del. it gets halfway through creating a log and the error comes up.

    Is this right to try to get a log? ive seen them posted on here, i thought that would help, but i cant get it as this error keeps coming up.

    What should i do? Am i in the right place for this type of question?

    Many thanks in advance to anybody that can help

    Cheers

    Chris :)
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,043
    Hi and welcome to TSG,

    Try to download it from the direct download site and see if it will work.

    Please do this. Click here: http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
    to download Hijack This.

    It’s very important that you save it to its own folder on your hard drive, such as program files (not temporary files or the desktop), so that it can create proper back-ups and be able to restore them if necessary.

    Close all open windows and open Hijack This. Click “Scan”. When the scan is finished (it only takes a second), the scan button will change to “Save Log”. Click on “Save Log” and then save it to NotePad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

    DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
     
  3. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Hi,

    OK i shall try it again later today, because i am at work at the moment. I may well have something else open when running it perhaps this caused the error message to appear?

    Is it likely that loss of sound setc is all linked to the same problems as the homepage/pop-ups?

    If it isnt, will that be something seperate to the internet security problem? Do all problems on your computer show up with this 'hijack this' log?

    Cheers

    C
     
  4. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Hi again,

    I tried to run hijack this, but still the error i mentioned comes up. Ive pasted it below. Where should i go from here?

    Chris

    An unexpected error has occurred at procedure: modMain_FixUNIXHostsFile()
    Error #62 - Input past end of file

    Please email me at [email protected], reporting the following:
    * What you were doing when the error occurred
    * How you can reproduce the error
    * A complete HijackThis scan log, if possible

    Windows version: Windows NT 5.01.2600
    MSIE version: 6.0.2800.1106
    HijackThis version: 1.99.0

    This message has been copied to your clipboard.
     
  5. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    shameless bump, sorry! its just drivin me crazy!
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,043
    The sound problem may or may not be related to spyware.

    Let's try this and then afterward you may be able to run Hijack This.

    Do a couple of on-line virus scans at these links:

    http://housecall.trendmicro.com/ - be sure to check “auto clean” before scanning

    http://www.pandasoftware.com/activescan/


    Please download and run the following program(s):

    CWSHREDDER

    http://www.intermute.com/spysubtract/cwshredder_download.html

    Close all browser windows, open cwshredder.exe then click "Fix" and let it run.

    Then restart your computer.

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.


    SPYBOT SEARCH & DESTROY


    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, see if you can post a Hijack This log.
     
  7. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    OK, thanks for the tips.

    I shall try all this later today and hopefully have a hijack this log to display!

    I seem to have sorted the no sound problem now so hopefully at least that will no longer trouble me!
     
  8. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Hi,

    I wasnt able to complete all the things you suggested, but i did do a couple of them which seemed to be quite productive. It has enabled me to complete a hijack this log file now so i will paste it here and if you could help me with what to do from there that would great!

    Thanks in advance, here goes:

    Logfile of HijackThis v1.99.0
    Scan saved at 18:02:26, on 04/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
    C:\WINDOWS\System32\SVPHOST.exe
    C:\WINDOWS\System32\svmhost.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\webHancer\Programs\whSurvey.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\WINDOWS\load.exe
    C:\WINDOWS\System32\bxugdhvwe.exe
    C:\Program Files\webHancer\Programs\whAgent.exe
    C:\WINDOWS\system32\msvc32.exe
    C:\WINDOWS\system32\lc32.exe
    C:\WINDOWS\System32\winis.exe
    C:\Program Files\Windows AdStatus\WinStat.exe
    C:\WINDOWS\System32\gah95on6.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Windows AdStatus\WinStatKeep.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0ml.net/cat
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.blueyonder.co.uk/
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 3466709097 www.your.com your.com
    O1 - Hosts: 3466709097 com.org
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
    O2 - BHO: (no name) - {1FA2CFC0-20FB-2C04-505D-5764FCEBD529} - C:\WINDOWS\System32\tihoeou.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
    O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - C:\WINDOWS\System32\bmatfvnqvo.dll
    O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - C:\WINDOWS\System32\jajab.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\System32\rilyw91t2c.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
    O4 - HKLM\..\Run: [Windows TM] SVPHOST.exe
    O4 - HKLM\..\Run: [Spool] C:\WINDOWS\system32\msvc32.exe
    O4 - HKLM\..\Run: [REGRUN] C:\WINDOWS\system32\lc32.exe
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
    O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe
    O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKLM\..\RunServices: [Windows TM] SVPHOST.exe
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe
    O4 - HKLM\..\RunOnce: [Windows TM] SVPHOST.exe
    O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKCU\..\Run: [Windows TM] SVPHOST.exe
    O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe
    O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe
    O4 - HKCU\..\RunOnce: [Windows TM] SVPHOST.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
    O9 - Extra button: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\rilyw91t2c.dll (file missing)
    O9 - Extra 'Tools' menuitem: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\WINDOWS\System32\rilyw91t2c.dll (file missing)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c6.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103317839202
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O18 - Filter: text/html - {04E27D21-94F4-4C95-986E-DD2C264A2842} - C:\WINDOWS\System32\abjah.dll
    O18 - Filter: text/plain - {04E27D21-94F4-4C95-986E-DD2C264A2842} - C:\WINDOWS\System32\abjah.dll
    O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,043
    Download the LSP Fix just in case you lose your Internet connection as a result of removing WebHancer. It shouldn’t happen and this is just a precaution but if it does, run the LPS Fix to get the connection back and click the "I know what I'm doing" checkbox. (Don't do anything else)

    Then click Finish.

    http://cexx.org/lspfix.htm

    Go to Control Panel - Add/Remove programs and remove:

    WebHancer
    Web_Rebates
    Windows AdStatus


    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://0ml.net/cat

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://0ml.net/cat

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\_s.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://0ml.net/searchasst.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://0ml.net/cat

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://0ml.net/cat

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://0ml.net/searchasst.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0ml.net/searchasst.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://0ml.net/cat

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O1 - Hosts: 3466709097 www.your.com your.com
    O1 - Hosts: 3466709097 com.org
    O1 - Hosts: 3466690378 view.atdmt.com
    O1 - Hosts: 3466690378 click.atdmt.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com
    O1 - Hosts: 3466690378 leader.linkexchange.com

    O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

    O2 - BHO: (no name) - {1FA2CFC0-20FB-2C04-505D-5764FCEBD529} - C:\WINDOWS\System32\tihoeou.dll

    O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll

    O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - C:\WINDOWS\System32\bmatfvnqvo.dll

    O2 - BHO: (no name) - {F2A4407B-FFBC-4A1F-A18A-0F68C3E0FC9E} - C:\WINDOWS\System32\jajab.dll

    O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\System32\rilyw91t2c.dll (file missing)

    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

    O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe

    O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

    O4 - HKLM\..\Run: [Windows TM] SVPHOST.exe

    O4 - HKLM\..\Run: [Spool] C:\WINDOWS\system32\msvc32.exe

    O4 - HKLM\..\Run: [REGRUN] C:\WINDOWS\system32\lc32.exe

    O4 - HKLM\..\Run: [update] winis.exe

    O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe

    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe

    O4 - HKLM\..\Run: [Microsoft Windows Update] svmhost.exe

    O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe

    O4 - HKLM\..\RunServices: [Windows TM] SVPHOST.exe

    O4 - HKLM\..\RunServices: [update] winis.exe

    O4 - HKLM\..\RunServices: [Microsoft Windows Update] svmhost.exe

    O4 - HKLM\..\RunOnce: [Windows TM] SVPHOST.exe

    O4 - HKLM\..\RunOnce: [Microsoft Windows Update] svmhost.exe

    O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe

    O4 - HKCU\..\Run: [Windows TM] SVPHOST.exe

    O4 - HKCU\..\Run: [Microsoft Windows Update] svmhost.exe

    O4 - HKCU\..\RunOnce: [Microsoft Windows Update] svmhost.exe

    O4 - HKCU\..\RunOnce: [Windows TM] SVPHOST.exe

    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm

    O9 - Extra button: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} –
    C:\WINDOWS\System32\rilyw91t2c.dll (file missing)

    O9 - Extra 'Tools' menuitem: The Simple Toolbar - {A26ABCF0-1C8F-46e7-A67C-
    0489DC21B9CC} - C:\WINDOWS\System32\rilyw91t2c.dll (file missing)

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} –
    C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a}
    - C:\WINDOWS\web\related.htm

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C...e/bridge-c6.cab

    O18 - Filter: text/html - {04E27D21-94F4-4C95-986E-DD2C264A2842} - C:\WINDOWS\System32\abjah.dll

    O18 - Filter: text/plain - {04E27D21-94F4-4C95-986E-DD2C264A2842} - C:\WINDOWS\System32\abjah.dll




    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\PROGRA~1\INCREDIFIND - folder
    C:\Program Files\webHancer - folder
    C:\Program Files\Common files\updater - folder
    C:\Program Files\Web_Rebates - folder
    bxugdhvwe.exe - file
    SVPHOST.exe - file
    C:\WINDOWS\system32\msvc32.exe - file
    C:\WINDOWS\system32\lc32.exe - file
    winis.exe - file
    C:\Program Files\Windows AdStatus - folder
    C:\WINDOWS\System32\gah95on6.exe - file
    svmhost.exe - file
    bxugdhvwe.exe - file


    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    Because XP will not always show you hidden files and folders by default, Go to Start - Search and under "More advanced search options". Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders"
    Click "Apply" then "OK"

    Reboot and post another Hijack This log.
     
  10. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Hi,

    Ive done all you said and have posted the new hijack this log below.

    Just a couple of things, before that.

    1.After starting in safe mode and restarting normally again, a message came up saying that i had changed the system configuration utility and it was in a different mode to usual. It was suggesting me to put it back into general mode. Is this ok to do? i thought it would be but it said that settings i had changed would be reset if i did (dont want to bring anything back, so thought id ask just incase!)

    2.When i was deleting the file/folders in safe mode, there were variations of these:

    bxugdhvwe.exe - file
    SVPHOST.exe - file
    C:\WINDOWS\system32\lc32.exe - file
    winis.exe - file
    C:\WINDOWS\System32\gah95on6.exe - file
    svmhost.exe - file

    I deleted all variations, hopefully that was ok?

    i couldnt find these when searching in safe mode however:

    C:\Program Files\Web_Rebates - folder
    C:\Program Files\Windows AdStatus - folder

    Currently the files i did delete are all in the recycle bin, is this ok? Do i need to delete them from here?

    Heres the new log:

    Logfile of HijackThis v1.99.0
    Scan saved at 13:31:27, on 05/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\winis.exe
    C:\WINDOWS\System32\bxugdhvwe.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.blueyonder.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103317839202
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)

    Thanks for all your help so far, and thanks again in advance!

    C
     
  11. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Just thought id let you know that ive been using my laptop all day, following the instructions i have followed from you. I have yet to come across any problems so it seems it has been a success thusfar!

    I guess the hijack this log may still have something on there that does not necessarily need to be there so i shall stay tuned for any other instructions.

    I would obviously like to be protected from stuff like this in the future, are there any particular free programs or downloads that are highly recommended by you?

    Also, how do i know if things like firewall, anti virus software are on the correct settings etc? Basically if you could give me some directions as to what is best to use and what to do to ensure the best possible protection, id really appreciate it.

    Many thanks

    C
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,043
    First of all, what variations of those files did you delete? :eek:
    You were only to delete the exact files mentioned, not similar ones.

    Please list them here, you may have deleted something vital.

    You are also running in selective start-up which means you have some things unchecked in msconfig. Please go to start - run - type in msconfig and put a check mark by everything. If you get a message asking you if you want to revert to normal start-up, answer yes.

    There are still problems in the log but I need to see one in normal start-up before we proceed.
     
  13. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Uh Oh Sorry! :(

    They havnt completely gone, they are in the recycle bin so if any of them need restoring they can be! Here they are:

    LC32.EXE-05CD37CA.pf
    lc32.exe (app)

    SVMHOST.EXE-3090C278.pf
    svmhost.exe (app)

    SVPHOST.EXE-2F2D7FAD.pf
    svphost.exe (app)

    WINIS.EXE-206CCA0F.pf

    BXUGDHVWE.EXE-174FD150.pf
    bxugdhvwe.exe-up.txt

    gah95on6.exe
    gah95on6.ini

    Here is the new log in normal mode:

    Logfile of HijackThis v1.99.0
    Scan saved at 18:46:10, on 05/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\winis.exe
    C:\WINDOWS\System32\bxugdhvwe.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.blueyonder.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103317839202
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,043
    Those files were OK to delete. They are not variants, they are the same files but in the prefetch files.

    Rescan with Hijack This and have it fix these entries:

    O4 - HKLM\..\Run: [update] winis.exe

    O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe

    O4 - HKLM\..\RunServices: [update] winis.exe

    O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe

    O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe

    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)


    Then in safe mode locate and delete:

    C:\WINDOWS\System32\winis.exe - file
    C:\WINDOWS\System32\bxugdhvwe.exe - file

    Then reboot and post another log please.
     
  15. lfcbookie

    lfcbookie Thread Starter

    Joined:
    Feb 2, 2005
    Messages:
    75
    Hi again!

    Thanks thusfar!

    Ive done all you said, heres my new log:

    Logfile of HijackThis v1.99.0
    Scan saved at 22:25:51, on 05/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\blueyonder IST\bin\mpbtn.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://broadband.blueyonder.co.uk/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [update] winis.exe
    O4 - HKLM\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKLM\..\RunServices: [update] winis.exe
    O4 - HKLM\..\RunServices: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [WindowsRegKey upd4te2d4te] bxugdhvwe.exe
    O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103317839202
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O23 - Service: InCD File System Service - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Panda Firewall Service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
    O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326101

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice