1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Hijackthis Log, there must be something

Discussion in 'Virus & Other Malware Removal' started by soni, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. soni

    soni Thread Starter

    Joined:
    Jul 27, 2003
    Messages:
    36
    Hi there,

    I have always been quite careful when I browse website. Now, my brother has been browsing a lot, and I am not sure what he checked out, but my Hijcakthis log shows a lot of trash. Can you please check out and tell me what I can remove? Thanks a lot in advance.

    Logfile of HijackThis v1.97.7
    Scan saved at 11:43:37, on 5-9-2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\System32\wupdt64.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\WINDOWS\System32\hmkyzp.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ajax.netwerk.to/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [dxtpqe] C:\WINDOWS\System32\hmkyzp.exe
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
    O4 - HKLM\..\RunServices: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
    O4 - HKCU\..\RunOnce: [DeleteSlotchBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\ISTbar\istbar.dll"
    O4 - HKCU\..\RunOnce: [Windows SR 2.0] C:\WINDOWS\cleanup2.bat
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Ontvang alles met FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Ontvang met FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7568bc31da07:20bd3955a42ba1a87a16f17897c4ded1
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38112.6567592593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28578.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCDB34C5-2133-4AE6-8DB3-FE1D2B1E583F}: NameServer = 194.134.5.5 194.134.5.55
     
  2. MRBEEFY

    MRBEEFY

    Joined:
    Sep 5, 2004
    Messages:
    2
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll (get rid of that for a start man it took me a week to find it annoying thing) O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (this is a possibility) man you need spysweeper spyware blaster cw shredder adaware6 with updates spybot with updates clear cookies and temp internet files before scanning you got loads of it.
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    First [please update to the latest version of hijacthis which is available here http://www.dotcomsecurity.org/

    Download Adaware SE http://www.lavasoftusa.com/support/download/
    The first step is updating your Ad-Aware SE. You can do this by going to the bottom right corner and clicking on the link that says "Check for Updates Now".
    Press "Continue" on the bottom right on your screen
    Next another pop-up will pop-up saying what type of update it is and what to do, press "Okay" and a download screen will come up downloading the update. Press "Finish" after the update is downloaded. Now select "Finish" then on the bvottom right of your Adaware screen click "Start".
    A new screen will pop-up and will say "Select a scan mode". You want to click "Use Custom Scanning Mode". Before you press "Start" on the bottom right click "Customize" right next to "Use Custom Scanning Mode".

    Select the following:

    In the General tab select:
    Keep it all the same

    In the Scanning tab select:
    Under Drivers Folders and Files-select Scan within archives
    Under Memory and Registry select all that is underneath it!
    Make sure your harddrive is selected when you press "Select Drives and Folders to scan"

    In the Advanced tab select:
    Make sure you have everything under the "Logfile Detail Level" selected.
    (This makes it easier for people from Lavasoft forums see what options you have selected)

    In the Startup, Defaults, and Interface tab select nothing.


    In the Tweak tab select:
    You may not be able to select certain things in the tweak tab, but do not be alarmed.
    Under scanning engine select:
    "Unload recognized processes during scanning"
    "Scan registry for all users instead of current users only"
    Under Cleaning Engine select:
    "Always try to unload modules before deletion"
    "During removal unload Explorer and IE if necessary"
    "Let Windows remove files in use at next boot"
    "Delete Quarantined objects after restoring"
    Under log files:
    "Include Basic Ad-Aware settings in log file"
    "Include additional Ad-Aware settings in log file"
    "Include reference summary in log file"
    "Include used command line parameters in log file"
    All of the other links are just fine.

    Press "Proceed" to save the settings


    Press "Next" on the bottom right hand corner.
    Ad-Aware SE will scan your computer for possible spyware threats or anything that you have on your computer that maybe spyware.
    Then click ”Next “ to remove any objects found_

    ______________________________________________________________
    Then rescan with hijack and post here your updated logfile please.
     
  4. soni

    soni Thread Starter

    Joined:
    Jul 27, 2003
    Messages:
    36
    It's getting really serious. I removed everything with Ad Aware and Search and Destroy. Then I used CW shredder, deleted most stuff in Windows Safe mode. But the thing is, when I think it's clean and I reboot... whenever I connect to the Internet, it automatically installs a lot of files on my C drive and so on. Can someone please help??

    Logfile of HijackThis v1.97.7
    Scan saved at 0:08:36, on 6-9-2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\System32\wupdt64.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Winad Client\Winad.exe
    C:\Program Files\Winad Client\WinClt.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Internet Optimizer\actalert.exe
    C:\WINDOWS\System32\hmkyzp.exe
    c:\temp\msbb.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\Program Files\BullsEye Network\bin\bargains.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=153636
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=153636
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=153636
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=153636
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ajax.netwerk.to/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem301.dll
    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
    O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [ykokwcpewxbly] C:\WINDOWS\System32\hmkyzp.exe
    O4 - HKLM\..\Run: [fulqr] C:\WINDOWS\fulqr.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\RunServices: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe
    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Soni.P3\LOCALS~1\Temp\djtopr1150.exe"
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Ontvang alles met FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Ontvang met FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: SideFind (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7568bc31da07:20bd3955a42ba1a87a16f17897c4ded1
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38112.6567592593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCDB34C5-2133-4AE6-8DB3-FE1D2B1E583F}: NameServer = 194.134.5.5 194.134.5.55

    Thanks in davance!!
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Printing this may help you

    1. Download this tool called about:Buster http://www.dotcomsecurity.org/downloads/AboutBuster.zip

    Unzip it to your Desktop.

    Start about:Buster. Then hit update. A new screen should pop up. On that screen, hit Check for Updates. If it says it found an update, hit Download Updates. If it doesnt find an update, it will automatically tell you and exit.

    Do nothing more with the program at this time.

    2. Click here http://www.lavasoftusa.com/support/download/ to download Ad-Aware SE and install. Open the program and click on "check for updates now" to make sure you have the latest reference file. If not, click *ok* and let it download and install the updates by clicking on *Finish* after the update download is completed. Exit the program.

    3. Print out these instructions so you have them handy as most of the steps need to be done in Safe Mode and you may not be able to go online.

    4. Make sure your PC is configured to show hidden files and folders....
    http://dotcomsecurity.org/forums/index.php?showtopic=57

    5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok You may not find it, if not go on to step 6

    Scroll down and find the service called "Network Security Service." When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and, under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    6. Reboot to Safe Mode http://dotcomsecurity.org/forums/index.php?showtopic=55



    7. Scan with Hijack This and put checks next to all the following, then with all other windows closed click "Fix Checked"



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=153636

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=153636

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slotch.com/?&account_id=153636

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=153636

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ajax.netwerk.to/

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll

    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem301.dll

    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll

    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll

    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll

    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll

    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll

    O4 - HKLM\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe

    O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe

    O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe

    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

    O4 - HKLM\..\Run: [ykokwcpewxbly] C:\WINDOWS\System32\hmkyzp.exe

    O4 - HKLM\..\Run: [fulqr] C:\WINDOWS\fulqr.exe

    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

    O4 - HKLM\..\RunServices: [Microsoft 64 Bit Runtime Updater] wupdt64.exe

    O4 - HKCU\..\Run: [Microsoft 64 Bit Runtime Updater] wupdt64.exe

    O4 - HKLM\..\RunOnce: [djtopr1150.exe] "C:\DOCUME~1\Soni.P3\LOCALS~1\Temp\djtopr1150.exe"

    O9 - Extra button: SideFind (HKLM)

    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...7568bc31da07:20bd3955a42ba1a87a16f17897c4ded1

    O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

    Now, search for, and delete if found, (some files may not be present after previous steps) the following files:

    C:\WINDOWS\System32\wupdt64.exe

    C:\Program Files\Winad Client
    e
    C:\Program Files\ISTsvc

    C:\Program Files\Internet Optimizer

    C:\WINDOWS\System32\hmkyzp.exe

    c:\temp\msbb.exe

    C:\Program Files\Web_Rebates

    C:\Program Files\BullsEye Network

    8. Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:

    __NS_Service
    __NS_Service_2
    __NS_Service_3

    If any are listed, right-click that entry in the right pane and choose Delete.

    Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    If you find it, right-click it in the right-pane and choose delete.

    Remain in Safe Mode....

    9. Double click on about:Buster to start the program. Hit Start and then Ok. The program should start scanning. When it's finished, hit Exit and reboot, again in Safe Mode.

    Run about:Buster once more to make sure everything is ok. Reboot into Safe Mode when finished.

    Save the about:Buster report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

    10. Remaining in Safe Mode, Reconfigure Ad-Aware SE for a custom scan:

    Launch the program, and click on the Gear at the top of the start screen.

    Under "General Settings" all available options should be selected.

    Click the "Scanning" button.
    Under "Drives, Folders and Files," select "Scan within Archives".
    Click "Drives and folders to scan" and select your installed hard drives.
    Under "Memory & Registry," select all options.

    Click the "Advanced" button.
    Under "Logfile detail level," select all options.

    Click the "Defaults" button.
    If you want to keep your current settings for your homepage and searchpage,
    select "Read current settings from system." Otherwise, Ad-aware will reset them.

    Click the "Tweak" button.
    Under "Scanning Engine," select the following:
    "Unload recognized processes during scanning."
    Under "Cleaning Engine," select the following:
    "Always try to unload modules before deletion."
    "During removal unload Explorer and IE if necessary."
    "Let Windows remove files in use after reboot."
    Click on "Proceed" to save these Preferences.

    Run the Ad-Aware scan, making sure that the mode selected is "Use custom scanning options."

    When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?"

    11. Clean out temporary and TIF files.....

    Delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

    C:\WINDOWS\Temp\

    C:\Temp\

    C:\Documents and Settings\username\Local Settings\Temp\

    Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

    Empty your Recycle Bin and reboot into normal mode.

    12. Perform online virus scans at Trend Micro and Panda Software (See links below). Allow the programs to delete anything they may find. Reboot after each scan.

    13. Download and install this free anti-Trojan program: http://www.emsisoft.com/en/software/free/

    Perform a scan and allow the program to remove anything it may find.

    14. Go to the Windows Update site (see link below) to download and install ALL critical updates. Reboot when finished.

    15. NOTE: Two possibly three files may have been deleted from your computer by the hijacker and may need to be replaced. Check to see if these are missing.

    a. Control.exe

    b. hosts (with no extension)

    c. SDHelper.dll (if you are using Spybot Search & Destroy)

    If control. exe is missing
    Go here: http://www.spywareinfo.com/~merijn/...es.html#control
    and download the version of control.exe for your operating system. If you are running Windows 95/98/98SE/ME: copy it to C:\WINDOWS
    Windows 2000, copy it to c:\winnt\system32\.
    For Windows XP, copy it to c:\windows\system32\.

    Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
    Press 'Restore Original Hosts' and press 'OK'
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it
    Here
    and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    16. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here:
    http://www.spywareinfo.com/articles...ked/prevent.php
    QUOTE
    ActiveX controls and plug-ins

    * Download signed ActiveX controls (Prompt)
    * Download unsigned ActiveX controls (Disable)
    * Initialize and script ActiveX controls not marked as safe (Disable)
    * Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    * Script ActiveX controls marked safe for scripting (Prompt)


    17. Reboot to Normal Mode, then scan with HijackThis and post a fresh log into this same thread along with your about:Buster log.


    Then get those windows updates for your system available at windows update or this will continue to happen.
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270349

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice