1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help!! Winpup!!

Discussion in 'Virus & Other Malware Removal' started by _ViRuS_, Sep 22, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. _ViRuS_

    _ViRuS_ Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    15
    Help me! I can't use Internet explorer any more!

    I paste you the hijackthis result:

    Logfile of HijackThis v1.97.2
    Scan saved at 15.30.02, on 22/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAMMI\ROLAND\VSC30\VSC88CNF.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
    C:\PROGRAMMI\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMMI\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\PROGRAMMI\TIMESINK\ADGATEWAY\TSADBOT.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAMMI\FILE COMUNI\CMEII\CMESYS.EXE
    C:\PROGRAMMI\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAMMI\ROLAND\VSC30\VSCVOL88.EXE
    C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
    C:\PROGRAMMI\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAMMI\WILDTANGENT\APPS\GAMECHANNEL.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAMMI\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\PROGRAMMI\NETRATINGS\PREMETER\PRMT.EXE
    C:\PROGRAMMI\ISTSVC\ISTSVC.EXE
    C:\PROGRAM FILES\GMSOFT\DIALERS\EASYDATES_IT\EASYDATES_IT.EXE
    C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHAGENT.EXE
    C:\PROGRAMMI\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
    C:\PROGRAMMI\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\CD_LOAD.EXE
    C:\PROGRAMMI\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE
    C:\PROGRAMMI\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\GATOR.COM\GATOR\GATOR.EXE
    C:\PROGRAMMI\PRECISIONTIME\PRECISIONTIME.EXE
    C:\PROGRAMMI\DATE MANAGER\DATEMANAGER.EXE
    C:\PROGRAMMI\RUTHERE\RUTH.EXE
    C:\PROGRAMMI\INTERVIDEO\COMMON\BIN\WINCINEMAMGR.EXE
    C:\PROGRAMMI\TINMESSENGER\TINMESSENGER.EXE
    C:\PROGRAMMI\FILE COMUNI\GMT\GMT.EXE
    C:\PROGRAMMI\SYMANTEC\LIVEUPDATE\NDETECT.EXE
    C:\DOCUMENTI\DOCUMENTI CONDIVISI\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tdmy.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da FastWeb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F0 - system.ini: Shell=Explorer.exe rpiyvhchm.exe
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\PROGRAMMI\UCMORE\UCMIE.DLL
    O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRAMMI\COMET\BIN\CSBHO.DLL
    O2 - BHO: (no name) - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\WINDOWS\APPLICATION DATA\JWQITRFROA.DLL
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\WINDOWS\SYSTEM\BPKWB.DLL
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL
    O3 - Toolbar: UCmore Toolbar - {53CBEE82-D747-11d3-9ED0-005004189684} - C:\PROGRAMMI\UCMORE\UCMIE.DLL
    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRAMMI\COMET\BIN\CSIETB.DLL
    O3 - Toolbar: Accessories - {9B35A850-66AB-4c6d-8A66-136ECADCD904} - C:\WINDOWS\APPLICATION DATA\JWQITRFROA.DLL
    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\SYSTEM\ZEROPO~5.DLL
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAMMI\ISTBAR\ISTBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NewsUpd] C:\Programmi\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [Rilevatore di dischi] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Programmi\TimeSink\AdGateway\TSADBOT.EXE"
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [CMESys] "C:\PROGRAMMI\FILE COMUNI\CMEII\CMESYS.EXE"
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.reg
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [vsc88cnf.wnd] C:\Programmi\Roland\VSC30\vsc88cnf.exe
    O4 - HKLM\..\Run: [vscvol88.exe] C:\Programmi\Roland\VSC30\vscvol88.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Programmi\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [Disc Detector] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Premeter] C:\PROGRA~1\NETRAT~1\PREMETER\PRMT.EXE
    O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [EasyDates_it] C:\Program Files\GMSoft\Dialers\EasyDates_it\EasyDates_it.exe /dontdial
    O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
    O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Programmi\Network Associates\PGP for Windows 98\PGPservice.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKCU\..\Run: [MSMSGS] C:\Programmi\Messenger\msmsgs.exe /background
    O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\chost00000\2710214.EXE -remove
    O4 - Startup: vpsched.lnk = C:\Programmi\Matrox - Strumenti video\vpsched.exe
    O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PGPtray.lnk = C:\Programmi\Network Associates\PGP for Windows 98\PGPtray.exe
    O4 - Startup: Acrobat Assistant.lnk = ?
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: GStartup.lnk = C:\Programmi\File comuni\GMT\GatorRes.dll
    O4 - Startup: Gator eWallet.lnk = ?
    O4 - Startup: PrecisionTime.lnk = C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
    O4 - Startup: Date Manager.lnk = C:\PROGRA~1\Date Manager\DateManager.exe
    O4 - Startup: Ruth.lnk = C:\Programmi\RUThere\ruth.cur
    O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\bin\WinCinemaMgr.exe
    O4 - Startup: C6 Client.LNK = C:\Programmi\TinMessenger\TinMessenger.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Programmi\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\SYSTEM\ZEROPO~5.DLL/MENUSEARCH.HTM
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: LingoWare Translator... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O12 - Plugin for .bat: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.5547106481

    HELP ME!!!
    THANKS!!!

    Dave
     
  2. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    This is the worst mess I've seen in a LONG time. You appear to have every form of malware known to man...

    Let's first get rid of everything you don;t need:
    In Hijack This, check all of the following items, then close all browser windows, and press "Fix Checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.znext.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tdmy.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.znext.com/ie/

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    F0 - system.ini: Shell=Explorer.exe rpiyvhchm.exe

    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL
    O2 - BHO: (no name) - {ED8DB0FD-D8F4-4b2c-BB5B-9EF040FE104D} - C:\PROGRAMMI\UCMORE\UCMIE.DLL
    O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRAMMI\COMET\BIN\CSBHO.DLL
    O2 - BHO: (no name) - {D44B5436-B3E4-4595-B0E9-106690E70A58} - C:\WINDOWS\APPLICATION DATA\JWQITRFROA.DLL
    O2 - BHO: (no name) - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\WINDOWS\SYSTEM\BPKWB.DLL
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM214.DLL

    O3 - Toolbar: UCmore Toolbar - {53CBEE82-D747-11d3-9ED0-005004189684} - C:\PROGRAMMI\UCMORE\UCMIE.DLL
    O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRAMMI\COMET\BIN\CSIETB.DLL
    O3 - Toolbar: Accessories - {9B35A850-66AB-4c6d-8A66-136ECADCD904} - C:\WINDOWS\APPLICATION DATA\JWQITRFROA.DLL
    O3 - Toolbar: (no name) - {69550BE2-9A78-11d2-BA91-00600827878D} - C:\WINDOWS\SYSTEM\shdocvw.dll
    O3 - Toolbar: ZeroPopUp Bar - {72A58725-2635-4725-8C53-676DFD1FEB8D} - C:\WINDOWS\SYSTEM\ZEROPO~5.DLL
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAMMI\ISTBAR\ISTBAR.DLL

    O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Programmi\TimeSink\AdGateway\TSADBOT.EXE"
    O4 - HKLM\..\Run: [CMESys] "C:\PROGRAMMI\FILE COMUNI\CMEII\CMESYS.EXE"
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [sp] regedit -s C:\WINDOWS\sp.reg
    O4 - HKLM\..\Run: [Premeter] C:\PROGRA~1\NETRAT~1\PREMETER\PRMT.EXE
    O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [EasyDates_it] C:\Program Files\GMSoft\Dialers\EasyDates_it\EasyDates_it.exe /dontdial
    O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\chost00000\2710214.EXE -remove
    O4 - Startup: GStartup.lnk = C:\Programmi\File comuni\GMT\GatorRes.dll
    O4 - Startup: Gator eWallet.lnk = ?
    O4 - Startup: PrecisionTime.lnk = C:\PROGRA~1\PrecisionTime\PrecisionTime.exe
    O4 - Startup: Date Manager.lnk = C:\PROGRA~1\Date Manager\DateManager.exe

    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer



    Now RESTART your computer, and delete ALL of the following folders in their entirety:

    C:\PROGRAM FILES\WEBHANCER
    C:\PROGRAMMI\UCMORE
    C:\PROGRAMMI\COMET
    C:\WINDOWS\SYSTEM\Zeropopup
    C:\PROGRAMMI\ISTBAR
    C:\Programmi\TimeSink
    C:\PROGRAMMI\FILE COMUNI\CMEII
    C:\Program Files\Netratings
    C:\Programmi\ISTsvc
    C:\Program Files\GMSoft
    C:\WINDOWS\SYSTEM\P2P NETWORKING
    c:\program files\GlobalDialer
    C:\Programmi\File comuni\GMT

    And the C:\WINDOWS\sp.reg file


    That will still not restore your Internet connectivity, but download this Winsock2 fix to a floppy, and run it on the affected machine: http://digital-solutions.co.uk/lavasoft/whndnfix.zip

    It does a fine job restoring internet connectivity caused by a corrupted LSP stack on Win 98 and ME systems.

    When everything works again, Download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

    Then re-run Hijack This, and show us a fresh log.

    And you may find this a useful read:
    So how did I get infected with all that spyware in the first place?

    Good luck,
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    AAAHH!............(rips hair out!)
    i just spent a half hour on this one here:
    http://forums.techguy.org/t151664/s.html

    actually tony...... there was one hawk and myself worked on yesterday that was worse:D
     
  4. _ViRuS_

    _ViRuS_ Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    15
    Thanks a lot! but I think I haven't cancelled all the problems yet.

    Whatch this:

    Logfile of HijackThis v1.97.2
    Scan saved at 19.28.04, on 22/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAMMI\ROLAND\VSC30\VSC88CNF.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
    C:\PROGRAMMI\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAMMI\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    C:\WINDOWS\SYSTEM\PDESK.EXE
    C:\PROGRAMMI\ROLAND\VSC30\VSCVOL88.EXE
    C:\PROGRAMMI\WILDTANGENT\APPS\GAMECHANNEL.EXE
    C:\PROGRAMMI\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAMMI\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\PROGRAMMI\ISTSVC\ISTSVC.EXE
    C:\PROGRAMMI\MESSENGER\MSMSGS.EXE
    C:\PROGRAMMI\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAMMI\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAMMI\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE
    C:\PROGRAMMI\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAMMI\TINMESSENGER\TINMESSENGER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAMMI\DAP\DAP.EXE
    C:\PROGRAMMI\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fornito da FastWeb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Rilevatore di dischi] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
    O4 - HKLM\..\Run: [RealTray] C:\Programmi\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [vsc88cnf.wnd] C:\Programmi\Roland\VSC30\vsc88cnf.exe
    O4 - HKLM\..\Run: [vscvol88.exe] C:\Programmi\Roland\VSC30\vscvol88.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Programmi\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [Disc Detector] C:\Programmi\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programmi\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
    O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Programmi\Network Associates\PGP for Windows 98\PGPservice.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKCU\..\Run: [MSMSGS] C:\Programmi\Messenger\msmsgs.exe /background
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAMMI\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O4 - Startup: vpsched.lnk = C:\Programmi\Matrox - Strumenti video\vpsched.exe
    O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PGPtray.lnk = C:\Programmi\Network Associates\PGP for Windows 98\PGPtray.exe
    O4 - Startup: Acrobat Assistant.lnk = ?
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Ruth.lnk = C:\Programmi\RUThere\ruth.cur
    O4 - Startup: InterVideo WinCinema Manager.lnk = C:\Programmi\InterVideo\Common\bin\WinCinemaMgr.exe
    O4 - Startup: C6 Client.LNK = C:\Programmi\TinMessenger\TinMessenger.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Programmi\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\SYSTEM\ZEROPO~5.DLL/MENUSEARCH.HTM
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: LingoWare Translator... (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .bat: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.5547106481


    That's all! :)

    Dave
     
  5. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Well, it sure looks a lot better.

    This is the only item which remains to be fixed:

    O4 - HKLM\..\Run: [IST Service] C:\Programmi\ISTsvc\istsvc.exe

    After rebooting, delete that C:\Programmi\ISTsvc folder, if still there. Otherwise it's a clean log! :)

    More importantly, were you able to restore your internet connectivity using the Winsock2 fix?
     
  6. _ViRuS_

    _ViRuS_ Thread Starter

    Joined:
    Sep 22, 2003
    Messages:
    15
    YEAH!! It's perfect!!!

    Ehy guys, ... I LOVE YOU!!!

    See you soon!!!

    Dave
     
  7. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    If I may just add one

    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

    This tends to hog resources in the background and isn't necessary unless you're a developer
     
  8. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Good to hear you're back on line! :)
     
  9. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Nice to see you back too, Tony! :)
     
  10. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    Same here! :)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166566

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice