1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HiJack Log Please Help

Discussion in 'Virus & Other Malware Removal' started by Renamed&Closed10, Sep 11, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Renamed&Closed10

    Renamed&Closed10 Account Closed Thread Starter

    Joined:
    Sep 10, 2003
    Messages:
    25
    Can someone please take a look at this and see if you can find any problems, thanks.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 216.177.73.139 auto.search.msn.com
    O1 - Hosts: 216.177.73.139 search.netscape.com
    O1 - Hosts: 216.177.73.139 ieautosearch
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll
    O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB - (no file)
    O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - C:\Program Files\ToPicks\Bin\HtCheck2.dll
    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70A - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9 - (no file)
    O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E - (no file)
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2a - (no file)
    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab - (no file)
    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab2 - (no file)
    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29 - (no file)
    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E0189 - (no file)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E01898 - (no file)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981 - (no file)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9 - (no file)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E - (no file)
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop167.dll (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF105 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF105774 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057747 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473 - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7 - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74 - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74A - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74AC - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Ebates (HKCU)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://members.fortunecity.com/cindyscam/cindy.exe
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10c4e5cca23043359915/netzip/RdxIE601Arcade.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1043.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialerXP.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.0.6.12/ttinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    Yep A lot of crud & problems there

    do this

    First

    download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".


    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    then
    Download Spybot - Search & Destroy from http://security.kolla.de

    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.


    then post a new hijackthis log to check what is left
     
  3. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    First, go to Start>>Settings>>Control Panel>>Add/Remove Programs.
    There is a list of all programs in alphebetical order. If you find NewDotNet in the list, click Add/Remove and follow the uninstall Wizard. Repeat for the programs called WebHancer and MyBar or MyWay. You might not find both, or either of these programs in the Add/Remove Programs List. If you do uninstall any of these, Reboot before continuing.

    Run HijackThis again. Click Scan. Put a checkmark next to every one of the items below. Click Fix Checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/...shnv9885&s=

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/...shnv9885&s=

    Don't fix this if you run a proxy server.
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

    O1 - Hosts: 216.177.73.139 auto.search.msn.com

    O1 - Hosts: 216.177.73.139 search.netscape.com

    O1 - Hosts: 216.177.73.139 ieautosearch

    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll

    O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB - (no file)

    O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - C:\Program Files\ToPicks\Bin\HtCheck2.dll

    O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70A - (no file)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0 - (no file)

    O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9 - (no file)

    O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E - (no file)

    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2a - (no file)

    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab - (no file)

    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab2 - (no file)

    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29 - (no file)

    O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E0189 - (no file)

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E01898 - (no file)

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981 - (no file)

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9 - (no file)

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E - (no file)

    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778 - (no file)

    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop167.dll (file missing)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF105 - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057 - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577 - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF105774 - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF1057747 - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473 - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F - (no file)

    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7 - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74 - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74A - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74AC - (no file)

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC - (no file)

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\3.bin\MYBAR.DLL

    O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE

    O9 - Extra button: Real.com (HKLM)

    O9 - Extra button: Ebates (HKCU)

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing

    O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://members.fortunecity.com/cindyscam/cindy.exe

    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/10c4e5cca23043...IE601Arcade.cab

    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.ne...ccessXP1043.cab

    O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.co...TMLDialerXP.cab

    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/...6.12/ttinst.cab

    Now you need to Reboot again.
    Delete the following files/folders from your computer:
    The Folder: C:\PROGRA~1\COMMON~2\Toolbar\
    The Folder: C:\Program Files\ToPicks\
    The Folder: C:\Program Files\MyWay\
    The Folder: C:\Program Files\Srng\
    The Folder: C:\Program Files\NewDotNet\
    The Folder: C:\Program Files\POP\
    The File: C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    The File: WUAUMQR.EXE

    You will have to search tp find that last file.

    Some of the items listed above may have been removed in previous steps, if not all of them are there, don't worry about it.

    Most of the spyware, should be gone now, but I would reccommend running Spybot Search & Destroy to clean up the rest. You had aquired a huge amount of Spyware. Try clicking Immunize in Spybot and following the instructions to prevent this from happening again.

    Once you are done with everything in this post, please post a new HijackThis log. Please post the whole log, including the top section as well. It gives us helpful information about your computer and OS.
     
  4. Renamed&Closed10

    Renamed&Closed10 Account Closed Thread Starter

    Joined:
    Sep 10, 2003
    Messages:
    25
    i did everything u said brendan then a error popped up and says

    an unexpected error has occured at procedure: modBackup_MakeBackup(sItem=O2 - BHO: (no name) - {03529960F-47BE-11D5-AB93-00D0B760B4EB - (no file)
     
  5. Renamed&Closed10

    Renamed&Closed10 Account Closed Thread Starter

    Joined:
    Sep 10, 2003
    Messages:
    25
    then it said that the webhancer program was in use now and i couldnt delete it what should i use?
     
  6. Metallica

    Metallica Malware Specialist

    Joined:
    Jan 28, 2003
    Messages:
    692
    Hi Corey0305,

    In HijackThis click Config and remove the checkmark before "make backups...."

    Then put a checkmark in front of all the items that are still there and reboot.

    That should enable you to get rid of it.

    Put the checkmark back in case of future use.

    Regards,

    Pieter
     
  7. Renamed&Closed10

    Renamed&Closed10 Account Closed Thread Starter

    Joined:
    Sep 10, 2003
    Messages:
    25
    Ok here is what i got after i ran the HiJack

    Logfile of HijackThis v1.97.0
    Scan saved at 3:06:44 PM, on 9/11/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    c:\jetsuite\jsdaemon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\ToPicks\Bin\Idhost.exe
    C:\Program Files\iPod\bin\iPodManager.exe
    C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\WUAUMQR.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\jetsuite\JETSTAT.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    c:\jetsuite\JSFMAN.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Documents and Settings\Jack O'Connor\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
    O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB - (no file)
    O2 - BHO: (no name) - {0352960F-47BE-11D5-AB93-00D0B760B4EB} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E - (no file)
    O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E5 - (no file)
    O2 - BHO: (no name) - {13F537F0-AF09-11d6-9029-0002B31F9E59 - (no file)
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP LaserJet 3150 Status.lnk = C:\jetsuite\JETSTAT.EXE
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
    O9 - Extra button: Yahoo! Login (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

    is it ok???
     
  8. Renamed&Closed10

    Renamed&Closed10 Account Closed Thread Starter

    Joined:
    Sep 10, 2003
    Messages:
    25
    i cant delete these two

    The Folder: C:\Program Files\ToPicks\

    The File: C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

    it says access is denied. make sure that the disk is not full or write-protected and that the file is not currently in use.
     
  9. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Boot into safe mode, then delete those.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/163897

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice