1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HijackThis please help me

Discussion in 'Virus & Other Malware Removal' started by occydedeus, Jul 24, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. occydedeus

    occydedeus Thread Starter

    Joined:
    Apr 27, 2003
    Messages:
    53
    i got that homepage virus that when i open IE, i get some stupid "Easy Search" site.

    Logfile of HijackThis v1.97.7
    Scan saved at 6:12:01 PM, on 7/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\AlienAutopsy\TEKS_Service.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    c:\program files\internet explorer\iexplore.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\OX2J4HEF\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {27915058-896C-4C4E-B575-F88B16D03E70} - C:\WINDOWS\System32\mfplay.dll
    O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [Nrcu] C:\Documents and Settings\Colin\Application Data\acau.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Researcher (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/stx/install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Sponsor

  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,273
  4. occydedeus

    occydedeus Thread Starter

    Joined:
    Apr 27, 2003
    Messages:
    53
    the CWS Shredder got rid of the hompage hack, which is really cool. as well as that casino palazzo thing. i cant see any other problems so far but if there are any shown in this new log, it would be helpful to know. thanks. :)


    Logfile of HijackThis v1.98.0
    Scan saved at 9:24:59 AM, on 7/25/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\PestPatrol\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    C:\WINDOWS\FSScrCtl.exe
    C:\Program Files\AlienAutopsy\TEKS_Service.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\492JKLIN\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F0 - system.ini: Shell=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
    O2 - BHO: CleanMyPC Popup Blocker - {7A9BC6B1-7F27-47c6-A66D-13582E81E537} - C:\Program Files\CleanMyPC Popup Blocker\CleanBHO.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: CleanMyPC Toolbar - {04164EC4-1E48-4279-818E-3721931E7636} - C:\Program Files\CleanMyPC Popup Blocker\CleanBar.dll
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [Nrcu] C:\Documents and Settings\Colin\Application Data\acau.exe
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/stx/install.cab
    O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,273
    Not finished just yet.
    Rescan with hijack and put a check next to each of these then close all browser windows and click "fix checked"

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

    O4 - HKCU\..\Run: [Nrcu] C:\Documents and Settings\Colin\Application Data\acau.exe

    O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com

    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/stx/install.cab


    Then reboot your system into safe mode

    Then open windows explorer to find then delete:
    C:\Documents and Settings\Colin\Application Data\acau.exe

    Now you need to get over to windows update and get all critical updates for your system..

    In addition read this on tightening your security on your system.
     
  6. chubob

    chubob

    Joined:
    Aug 26, 2004
    Messages:
    7
    hi, it seems I'm having the same problem about the Easy Search homepage, no matter how many time i'd tried to solve it. AVG didn't help me, it just tells me i have a downloader.agent.bj trojan... I followed the instructions posted here, with the CWShredder ... but the search homepage is remaining... help please

    Logfile of HijackThis v1.97.7
    Scan saved at 01:13:54 a.m., on 26/08/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\ARCHIV~1\Grisoft\AVG6\avgserv.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\ipkz32.exe
    C:\WINDOWS\Mixer.exe
    C:\ARCHIV~1\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\winjm.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ROBERTO JR\Escritorio\delVirus\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rftml.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rftml.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rftml.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rftml.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rftml.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rftml.dll/sp.html#29126
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {24D78427-B916-4EF1-6574-F9CC427F1DFC} - C:\WINDOWS\iert32.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.2001.0001\es-mx\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\ARCHIV~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [winjm.exe] C:\WINDOWS\winjm.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.slotch.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093481110527
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    You got a nasty bunch of stuff there, paticularly the about:blank hijack if I'm not mistaken.

    Get, install, run, update, immunize, and scan with Spybot Search & Destroy by clicking the colored link below. Remove all items found by Spybot by clicking Fix Checked, closing all open programs then restarting your computer.

    ***

    In the Add/Remove Programs control panel remove all unnecessary, unknown, demo or freebie programs you might have inadvertantly installed. Restart your computer after each removal.

    ***

    Get, install, update and activate all protections with SpywareBlaster from http://www.javacoolsoftware.com/index.html

    ***

    Get, install and run CWS Shredder (Cool Web Shredder) from http://www3.ns.sympatico.ca/c.bennett03/moboswindowclinic.html Open and hit the ->fix tab to fix all found problems.
     
  8. chubob

    chubob

    Joined:
    Aug 26, 2004
    Messages:
    7
    I did what you told me. There were many problems detected and fixed with the SpyBot S & D. And also I installed "PC-cillin antivirus". The problem of the about:blank seems to be solved... it seems to... but now, while navigating through the internet (and even not being connected) the PC-cillin is constantly popping with a "Virus Detected in *** file" the virus is always: TROJ_AGENT.EL , and the files cannot be healed, so they are moved to virus vault. This are files from the Windows / System directories so I'm affraid that I will be no longer able to execute windows xp. Any Help? This still has to do with Spyware?

    here I post a recent log:

    Logfile of HijackThis v1.97.7
    Scan saved at 09:34:14 p.m., on 31/08/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\ARCHIV~1\Grisoft\AVG6\avgserv.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ipkz32.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Archivos de programa\Internet Explorer\iexplore.exe
    C:\Documents and Settings\ROBERTO JR\Mis documentos\antivis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
    O2 - BHO: (no name) - {E41A0FD6-AF30-AA3A-907A-E15D74D313B9} - C:\WINDOWS\atlcc32.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.2001.0001\es-mx\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
    O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093481110527
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




    ***

    (i tried removing the unnecessary programs but many of them are not even detected by the system... but, they're listed as if they were)
     
  9. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    Contact a moderator (flrman1). your infected with Spyware (CWS Variant) that can not be deleted by the average user.
     
  10. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,273
    First lets have you update to the latest version of hijack, available from here http://www.dotcomsecurity.org/. Then rescan and post the log please after gettinbg over to windows update and getting all the updates your missing there.
     
  11. chubob

    chubob

    Joined:
    Aug 26, 2004
    Messages:
    7
    ok. Here's the log with the windows updates already done, and with the new version of the Hijack This... And the problem is getting worst, now a cannot access my yahoo or hotmail mail inbox:

    Logfile of HijackThis v1.98.2
    Scan saved at 07:43:37 p.m., on 01/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\ARCHIV~1\Grisoft\AVG6\avgserv.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\system32\ipkz32.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
    C:\Archivos de programa\Grisoft\AVG6\avgcc32.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Documents and Settings\ROBERTO JR\Escritorio\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ckvlx.dll/sp.html#29126
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {676312D2-86B3-3491-7ADA-2D9E50FF786B} - C:\WINDOWS\javakm32.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.2001.0001\es-mx\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Archivos de programa\Grisoft\AVG6\avgcc32.exe /startup
    O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093481110527
     
  12. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,273
    Printing this may help you

    1. Download this tool called About:Buster http://www.dotcomsecurity.org/downloads/AboutBuster.zip

    Unzip it to your Desktop.

    Start About:Buster. Then hit update. A new screen should pop up. On that screen, hit Check for Updates. If it says it found an update, hit Download Updates. If it doesnt find an update, it will automatically tell you and exit.

    Do nothing more with the program at this time.

    2. Click here http://www.lavasoftusa.com/support/download/ to download Ad-Aware SE and install. Open the program and click on "check for updates now" to make sure you have the latest reference file. If not, click *ok* and let it download and install the updates by clicking on *Finish* after the update download is completed. Exit the program.

    3. Print out these instructions so you have them handy as most of the steps need to be done in Safe Mode and you may not be able to go online.

    4. Make sure your PC is configured to show hidden files and folders....
    http://dotcomsecurity.org/forums/index.php?showtopic=57

    5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok You may not find it, if not go on to step 6

    Scroll down and find the service called "Network Security Service." When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and, under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

    6. Reboot to Safe Mode http://dotcomsecurity.org/forums/index.php?showtopic=55



    7. Scan with Hijack This and put checks next to all the following, then with all other windows closed click "Fix Checked"




    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ckvlx.dll/sp.html#29126

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ckvlx.dll/sp.html#29126

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ckvlx.dll/sp.html#29126

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ckvlx.dll/sp.html#29126

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ckvlx.dll/sp.html#29126

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ckvlx.dll/sp.html#29126


    O2 - BHO: (no name) - {676312D2-86B3-3491-7ADA-2D9E50FF786B} - C:\WINDOWS\javakm32.dll (file missing)

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab

    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -



    Now, search for, and delete if found, (some files may not be present after previous steps) the following files:

    C:\WINDOWS\system32\ipkz32.exe
    C:\WINDOWS\javakm32.dll



    8. Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    and highlight Services in the left pane. In the right pane, look for any of these entries:

    __NS_Service
    __NS_Service_2
    __NS_Service_3

    If any are listed, right-click that entry in the right pane and choose Delete.

    Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

    LEGACY___NS_Service
    LEGACY___NS_Service_2
    LEGACY___NS_Service_3

    If you find it, right-click it in the right-pane and choose delete.

    Remain in Safe Mode....

    9. Double click on About:Buster to start the program. Hit Start and then Ok. The program should start scanning. When it's finished, hit Exit and reboot, again in Safe Mode.

    Run About:Buster once more to make sure everything is ok. Reboot into Safe Mode when finished.

    Save the About:Buster report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

    10. Remaining in Safe Mode, Reconfigure Ad-Aware SE for a custom scan:

    Launch the program, and click on the Gear at the top of the start screen.

    Under "General Settings" all available options should be selected.

    Click the "Scanning" button.
    Under "Drives, Folders and Files," select "Scan within Archives".
    Click "Drives and folders to scan" and select your installed hard drives.
    Under "Memory & Registry," select all options.

    Click the "Advanced" button.
    Under "Logfile detail level," select all options.

    Click the "Defaults" button.
    If you want to keep your current settings for your homepage and searchpage,
    select "Read current settings from system." Otherwise, Ad-aware will reset them.

    Click the "Tweak" button.
    Under "Scanning Engine," select the following:
    "Unload recognized processes during scanning."
    Under "Cleaning Engine," select the following:
    "Always try to unload modules before deletion."
    "During removal unload Explorer and IE if necessary."
    "Let Windows remove files in use after reboot."
    Click on "Proceed" to save these Preferences.

    Run the Ad-Aware scan, making sure that the mode selected is "Use custom scanning options."

    When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?"

    11. Clean out temporary and TIF files.....

    Delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

    C:\WINDOWS\Temp\

    C:\Temp\

    C:\Documents and Settings\username\Local Settings\Temp\

    Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

    Empty your Recycle Bin and reboot into normal mode.

    12. Perform online virus scans at Trend Micro and Panda Software (See links below). Allow the programs to delete anything they may find. Reboot after each scan.

    13. Download and install this free anti-Trojan program: http://www.emsisoft.com/en/software/free/

    Perform a scan and allow the program to remove anything it may find.

    14. Go to the Windows Update site (see link below) to download and install ALL critical updates. Reboot when finished.

    15. NOTE: Two possibly three files may have been deleted from your computer by the hijacker and may need to be replaced. Check to see if these are missing.

    a. Control.exe

    b. hosts (with no extension)

    c. SDHelper.dll (if you are using Spybot Search & Destroy)

    If control. exe is missing
    Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control
    and download the version of control.exe for your operating system. If you are running Windows 95/98/98SE/ME: copy it to C:\WINDOWS
    Windows 2000, copy it to c:\winnt\system32\.
    For Windows XP, copy it to c:\windows\system32\.

    Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
    Press 'Restore Original Hosts' and press 'OK'
    Exit Program.
    Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

    If you have Spybot S&D installed and SDHelper.dll is missing, replace it
    Here
    and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    16. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here:
    http://www.spywareinfo.com/articles/hijacked/prevent.php
    QUOTE
    ActiveX controls and plug-ins

    * Download signed ActiveX controls (Prompt)
    * Download unsigned ActiveX controls (Disable)
    * Initialize and script ActiveX controls not marked as safe (Disable)
    * Run ActiveX controls and plug-ins (Enabled) (This actually refers to Java and Flash, not ActiveX)
    * Script ActiveX controls marked safe for scripting (Prompt)


    17. Reboot to Normal Mode, then scan with HijackThis and post a fresh log into this same thread along with your About:Buster log.
     
  13. chubob

    chubob

    Joined:
    Aug 26, 2004
    Messages:
    7
    Thanks a lot, now everything seems to be working fine... BUT still, I cannot access my yahoo or hotmail mail accounts.

    I followed every step

    Here's the about:Buster log:

    Scanned at: 09:42:21 p.m. on: 01/09/2004


    -- Scan 1 ---------------------------
    About:Buster Version 3.0
    Reference List : 15

    No ADS found on system
    Removed 3 Random Key Entries
    Attempted Clean Of Temp folder.
    Pages Reset... Done!





    The Hijack This log:

    Logfile of HijackThis v1.98.2
    Scan saved at 11:57:25 p.m., on 01/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\Mixer.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe
    C:\Archivos de programa\Grisoft\AVG6\avgcc32.exe
    C:\Archivos de programa\a2\a2guard.exe
    C:\ARCHIV~1\Grisoft\AVG6\avgserv.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\Tmntsrv.exe
    C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCPFW.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\ROBERTO JR\Mis documentos\antivis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.2001.0001\es-mx\msntb.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\pccguide.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Archivos de programa\Trend Micro\PC-cillin 9\Pop3trap.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Archivos de programa\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKCU\..\Run: [a²] "C:\Archivos de programa\a2\a2guard.exe"
    O8 - Extra context menu item: &Google Search - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Instantánea de caché de la página - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Páginas similares - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Páginas vinculadas - res://C:\Archivos de programa\Google\GoogleToolbar1.dll/cmbacklinks.html
    O12 - Plugin for .spop: C:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093481110527
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  14. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,273
    Just these to go for now
    O3 - Toolbar: T1msn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.2001.0001\es-mx\msntb.dll (file missing)

    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
     
  15. Styxx

    Styxx Banned

    Joined:
    Sep 8, 2001
    Messages:
    4,888
    Aside from the CWS exploit you have two (2) anti-virus programs installed at once. That will cause software conflicts and other issues making your operating system eventually malfunction and other malfunctions. Not the least of which could render both anti-virus programs ineffective. Remove one (PCcillin or AVG) from your Add/Remove Programs vontrrol panel then restart your computer, ASAP as properly coincides with the other posters' instructions.
     
  16. chubob

    chubob

    Joined:
    Aug 26, 2004
    Messages:
    7
    I tried removing the AVG through the Add/Remove Programs and through the program itself but when clicking "uninstal", a file appears missing and it cannot get uninstalled. I tried installing it again (for installing the missing file) but the problem remains. Is there any other way I can remove the AVG or the only left is just erasing the files manually.

    By the way, the yahoo and hotmail problem remains.

    Thank you for your patience.
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/254071