1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] about: blank browser hijack

Discussion in 'Virus & Other Malware Removal' started by kracknuts, Sep 9, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. kracknuts

    kracknuts Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    112
    Hi i my broswer is directed to some search site each time and i cant change the homepage.. every now and then i get bombarded wif porn popups.

    heres my hijackthis log file.. wat can i do?

    Logfile of HijackThis v1.97.2
    Scan saved at 4:36:05 PM, on 9/9/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    D:\Program setups\remote\DRCS.exe
    C:\WINDOWS\VM_STI.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\scagent.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\WINDOWS\System32\wrsakp.exe
    C:\WINDOWS\System32\exdl.exe
    D:\Program setups\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.nz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {63AC4E3C-6514-4C6A-BCCE-15EC68151412} - C:\WINDOWS\madopew.dll
    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &Download by NetAnts - D:\PROGRA~1\NETANTS\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - D:\PROGRA~1\NETANTS\NAGetAll.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: NetAnts (HKLM)
    O9 - Extra 'Tools' menuitem: &NetAnts (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058364nz.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
    O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A79F120D-5534-4F29-BE29-09A6CAC00EE7}: NameServer = 202.27.184.3,202.27.184.5
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  3. kracknuts

    kracknuts Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    112
    Hi .. heres the new scan log... also it added a program to a porn dialer, ive uninstalled it and i think that pc cillin has taken care of that.

    Logfile of HijackThis v1.98.2
    Scan saved at 12:56:09 PM, on 9/10/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    D:\Program setups\remote\DRCS.exe
    C:\WINDOWS\VM_STI.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\WINDOWS\System32\wrsakp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\scagent.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\DOWNLOAD\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.nz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {63AC4E3C-6514-4C6A-BCCE-15EC68151412} - C:\WINDOWS\madopew.dll
    O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [DRCS] D:\Program setups\remote\DRCS.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [RYFM] C:\WINDOWS\RYFM.exe
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [AidemHotKey] C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    O4 - HKLM\..\Run: [thlhhc] C:\WINDOWS\System32\wrsakp.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &Download by NetAnts - D:\PROGRA~1\NETANTS\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - D:\PROGRA~1\NETANTS\NAGetAll.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058364nz.exe
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
    O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A79F120D-5534-4F29-BE29-09A6CAC00EE7}: NameServer = 202.27.184.3,202.27.184.5
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
    O18 - Filter: text/plain - {D4347A14-9D45-43F3-9245-FC0D2204FBE9} - C:\WINDOWS\madopew.dll
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, let's try this for starters. The new log shows some additional entries associated with this Hijack.

    [​IMG] Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

    Download and unzip to a convenient location the CoolWebShredder, CWShredder.exe available here: http://www.computercops.biz/downloads-cat-14.html

    Then:

    1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

    2 >> In Safe Mode run the CoolWebShredder and have it "fix" detected problems. Then run HijackThis and check and "fix" the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {63AC4E3C-6514-4C6A-BCCE-15EC68151412} - C:\WINDOWS\madopew.dll
    O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll

    You are going to have to verify the "bonafides" of this, I only see a few hits for it on the web. Leave it if you intentionally installed it and know what it does {} O4 - HKLM\..\Run: [DRCS] D:\Program setups\remote\DRCS.exe

    O4 - HKLM\..\Run: [RYFM] C:\WINDOWS\RYFM.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [thlhhc] C:\WINDOWS\System32\wrsakp.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
    O18 - Filter: text/plain - {D4347A14-9D45-43F3-9245-FC0D2204FBE9} - C:\WINDOWS\madopew.dll

    3 >> Go to Start > Run, enter cmd and a command shell will open. At the prompt carefully type and enter each line:

    del C:\WINDOWS\RYFM.exe
    del C:\WINDOWS\alchem.exe
    del C:\WINDOWS\System32\wrsakp.exe
    del C:\WINDOWS\System32\bridge.dll
    del C:\WINDOWS\httpfilter.dll
    del C:\WINDOWS\madopew.dll


    Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

    Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

    4 >> on Reboot

    I would recommend installing the latest Ad-aware SE version and doing a full drive scan. Include the VX2 Plugin. After the ad-Aware cleaning, post a new HijackThis Scanlog.

    Ad-Aware Home Page


    http://download.lavasoft.de.edgesuite.net/public/plvx2cleaner.exe

    The VX2 plugin will be available in the "add-ons" window once installed and is run from there.
     
  5. kracknuts

    kracknuts Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    112
    Awesome it seems to be all cured.. iv installed ad aware and that add on and run it and it killed a few bugs.

    Heres my new log
    somehow this one dont look to good :
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab

    Oh and i seemed to have lost my notepad in the process... the system isnt able to find it when i try and open somethin


    Logfile of HijackThis v1.98.2
    Scan saved at 3:37:36 PM, on 9/10/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    D:\Program setups\remote\DRCS.exe
    C:\WINDOWS\VM_STI.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\scagent.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    D:\Program setups\antispyware\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Herbutto\LOCALS~1\Temp\sp.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Herbutto\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.nz/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [DRCS] D:\Program setups\remote\DRCS.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AidemHotKey] C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    O4 - HKLM\..\Run: [alchem] c:\windows\alchem.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &Download by NetAnts - D:\PROGRA~1\NETANTS\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - D:\PROGRA~1\NETANTS\NAGetAll.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058364nz.exe
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
    O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A79F120D-5534-4F29-BE29-09A6CAC00EE7}: NameServer = 202.27.184.3,202.27.184.5
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll
     
  6. kracknuts

    kracknuts Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    112
    oh.. and that DRCS [DRCS] D:\Program setups\remote\DRCS.exe is fine.. its a program i installed to control the comp using a remote control
     
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Not all is gone. Follow the same directions to start in Safe Mode again, run the CoolWebshredder, then Hijackthis and check and fix these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Herbutto\LOCALS~1\Temp\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Herbutto\LOCALS~1\Temp\sp.html

    O4 - HKLM\..\Run: [alchem] c:\windows\alchem.exe

    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

    >> make sure alchem.exe and httpfilter.dll get deleted. Look for them manually.

    And yes, you can fix all these 016 entries:

    O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} - http://64.156.31.70/058364nz.exe
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
    O16 - DPF: {F9F3920B-2F24-437A-A224-D49F0004A172} - http://www.net-viewer.com/dls/AutoInstall.exe

    Repost a new HijackThis Scanlog after being on the web for a bit, these things have a habit of returning when there are hidden dlls associated with them. If it does, we will have to look further using other tools.

    [​IMG] edit we need to see where this is coming from:

    C:\WINDOWS\system32\scagent.exe

    I believe it is a trojan.

    Before begining, do a ctrl-alt-del and terminate the process.

    Find and rename scagent.exe to scagent.bad (this may need to be done in Safe Mode)

    Download the file "getservice.zip", unzip it and run "runme.bat". Upload the text file it produces as an attachment.

    http://forums.techguy.org/attachment.php?attachmentid=38367
     
  8. kracknuts

    kracknuts Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    112
    ok done all dat

    couldnt find these 2 in safe mode:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Herbutto\LOCALS~1\Temp\sp.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Herbutto\LOCALS~1\Temp\sp.html

    but found it in normal mode and fixed it

    this one was no where to be seen:
    O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

    and deleted these files in c:\windows
    alchem.ini
    httpfilter2.dll
    ttpfilter2.dll1

    changed scagent.exe to scagent.bad

    heres the hijack this log:
    Logfile of HijackThis v1.98.2
    Scan saved at 10:51:06 PM, on 9/10/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    D:\Program setups\remote\DRCS.exe
    C:\WINDOWS\VM_STI.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\Program setups\antispyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.nz/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [DRCS] D:\Program setups\remote\DRCS.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AidemHotKey] C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &Download by NetAnts - D:\PROGRA~1\NETANTS\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - D:\PROGRA~1\NETANTS\NAGetAll.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A79F120D-5534-4F29-BE29-09A6CAC00EE7}: NameServer = 202.27.184.3,202.27.184.5


    Ill attach the getservice text file
    hope all is good now :)
     

    Attached Files:

  9. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Sorry I missed your reply, I just found it inadvertantly.

    Yes the Scanlog looks good, but post another one so I can confirm.

    Also we will need to edit the registry to remove service startup for

    scagent.exe

    SERVICE_NAME: scagent
    (null)
    TYPE : 10 WIN32_OWN_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 0 IGNORE
    BINARY_PATH_NAME : "C:\WINDOWS\system32\scagent.exe" start
    LOAD_ORDER_GROUP :
    TAG : 0
    DISPLAY_NAME : Security Agent
    DEPENDENCIES :
    SERVICE_START_NAME: LocalSystem


    To do this, run regedit and navigate to the key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    Scroll down under this key and look for Security Agent

    Verify you have the right "folder" by checking the right hand pane for

    C:\WINDOWS\system32\scagent.exe


    Then right click on "Security Agent" in the left pane and delete it.
     
  10. kracknuts

    kracknuts Thread Starter

    Joined:
    Oct 18, 2003
    Messages:
    112
    hi... ok i deleted scagent registry

    here is hijack this logfile
    hope all is well now

    Logfile of HijackThis v1.98.2
    Scan saved at 6:03:10 PM, on 9/14/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    D:\Program setups\remote\DRCS.exe
    C:\WINDOWS\VM_STI.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
    C:\Documents and Settings\Herbutto\Desktop\runescape.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\Program setups\antispyware\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.co.nz/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [DRCS] D:\Program setups\remote\DRCS.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera 301P
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AidemHotKey] C:\PROGRA~1\INTERN~2\KEYAPP.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Real-time Monitor.lnk = ?
    O8 - Extra context menu item: &Download by NetAnts - D:\PROGRA~1\NETANTS\NAGet.htm
    O8 - Extra context menu item: Download &All by NetAnts - D:\PROGRA~1\NETANTS\NAGetAll.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra 'Tools' menuitem: &NetAnts - {57E91B47-F40A-11D1-B792-444553540000} - D:\PROGRA~1\NETANTS\NetAnts.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A79F120D-5534-4F29-BE29-09A6CAC00EE7}: NameServer = 202.27.184.3,202.27.184.5
     
  11. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Yes it is. I will put a "resolved" on this and lock the thread. Because of the subject line, these are prone to folk's piggybacking from google searches rather than starting new topics as they should.

    If you need to have it re-opened just PM me.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/271922

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice