1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Still got problems!

Discussion in 'Virus & Other Malware Removal' started by angry newby, Oct 6, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. angry newby

    angry newby Thread Starter

    Joined:
    Jul 22, 2003
    Messages:
    39
    Logfile of HijackThis v1.95.1
    Scan saved at 20:24:15, on 22/07/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRUN.EXE
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\AOL 7.0\waol.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\system32\notepad.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.coolwwwsearch.com/z/c/x1.cgi?656387 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 about:blank (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 (obfuscated)
    O1 - Hosts: 66.250.171.167 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Window Cleaner - {A5DB2BDA-418F-47E8-9718-2FA9089D4E7E} - C:\PROGRA~1\PLAINW~1\WINDOW~1\WINDOW~1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [CTAvTray] C:\Program Files\Creative\SBLive\Program\CTAvTray.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
    O4 - HKLM\..\Run: [sysPnP] C:\WINDOWS\System32\bootconf.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\SBLive\PlayCenter2\CTNMRUN.EXE"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O9 - Extra button: Real.com (HKLM)
    O10 - Broken Internet access because of LSP provider 'wps.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.coolwwwsearch.com
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FDA0BFCE-4731-4A40-92A2-993EFB66BCDC}: NameServer = 195.93.50.134
    O19 - User stylesheet: C:\WINDOWS\default.css
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  3. angry newby

    angry newby Thread Starter

    Joined:
    Jul 22, 2003
    Messages:
    39
    Hi i downloaded CW shreader and ran it as instructed. Unfortunately it has not got rid of 123FOUND>COM as my home page or AdultX dialer. Please help me rid my pc i hate seeing it on my desk top!
     
  4. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    Here are a couple of other free programs that might do the trick for you. Download Spybot - Search & Destroy from http://security.kolla.de After installing, first press Online, and search for, put a check mark at, and install all updates.Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED. That ought to get rid of most of your spyware.

    Next download & run Ad-Aware, from http://www.lavasoft.de open Ad-Aware & check for updates first then run it.

    See if that helps.
     
  5. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  7. angry newby

    angry newby Thread Starter

    Joined:
    Jul 22, 2003
    Messages:
    39
    Hi i downloaded hijack this Version 1.97 and this is the Scan Log
    Thanks to all who replyed!

    Logfile of HijackThis v1.97.2
    Scan saved at 20:37:32, on 07/10/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
    C:\WINDOWS\AdultX.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Tesconet\Tesconet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 1 for hijackthis1.97.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AdultX] C:\WINDOWS\AdultX.exe -n
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'wps.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
    O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
    O15 - Trusted Zone: http://memberservices.tesco.net
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {4E544C53-6967-6E02-BBAD-233AD71832A8} (NTLSignup1 Class) - https://tesco.autoregister.net/tesco/NTLSignup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{643E63FD-D178-49CA-8308-0C986268B7F9}: NameServer = 194.168.4.100 194.168.8.100
     
  8. angry newby

    angry newby Thread Starter

    Joined:
    Jul 22, 2003
    Messages:
    39
    Hi down loaded & ran hijack this version 1.97 this is the scan log. Thanks a lot for your interest and help!


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Ontrack\SYSTEM~1\MXTask.exe
    C:\WINDOWS\AdultX.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Ontrack\SYSTEM~1\mxtask.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Tesconet\Tesconet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Nick\Local Settings\Temp\Temporary Directory 1 for hijackthis1.97.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\Ontrack\SYSTEM~1\MemCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [AdultX] C:\WINDOWS\AdultX.exe -n
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'wps.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
    O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
    O15 - Trusted Zone: http://memberservices.tesco.net
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {4E544C53-6967-6E02-BBAD-233AD71832A8} (NTLSignup1 Class) - https://tesco.autoregister.net/tesco/NTLSignup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{643E63FD-D178-49CA-8308-0C986268B7F9}: NameServer = 194.168.4.100 194.168.8.100
     
  9. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
  10. buckaroo

    buckaroo

    Joined:
    Mar 25, 2001
    Messages:
    3,334
    an,

    You can have HJT remove the following items. Close your browser, check the entry in HJT, click Fix. Reboot.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.123found.com


    O4 - HKLM\..\Run: [AdultX] C:\WINDOWS\AdultX.exe -n


    ...this following entry, if your recognize the IP address as that of your ISP or network or router than leave it, otherwise, have HJT fix it too:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{643E63FD-D178-49CA-8308-0C986268B7F9}: NameServer = 194.168.4.100 194.168.8.100



    ...after rebooting, delete this file if still on your system:

    C:\WINDOWS\AdultX.exe -n


    Now download Spybot:

    http://www.safer-networking.org/index.php?lang=en&page=download

    ...after installing, have it go online and download all updates then have it check your system for any problems. Everything it finds in RED is safe to fix.

    After running Spybot, check you HJT log again. If this entry is still on your log:

    O10 - Broken Internet access because of LSP provider 'wps.dll' missing

    ...then go to this link for the fix:

    http://www.cexx.org/lspfix.htm

    :)
     
  11. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    O17 Domain Hijacking

    It's hard to explain this one. Windows uses several registry values to help resolve domain names to IP addresses. Hijacking these can result in redirects of a lot of pages for unknown reasons.

    Look at the address first. If it's an odd name or you don't know what it is, put it in your browser.

    Do a WhoIs search on it. WhoIs can be very useful indeed in this section.

    If it comes to an ISP or a company network then leave it.

    Unforunately, AOL changes these on every sign on to its rubbish service - if you use AOL you will have to live with that.

    You could also download Ad-Aware 6 and have it do a thorough cleaning of your unwanted files.

    Go here for the free Ad-Aware 6 Personal Build 181: http://www.lavasoft.de/support/download/

    Launch the program ... on the start-up screen, you will need to first run the Webupdate Feature (globe at the top), or click "check for updates" to get the Reference File up to date.

    Please use the Custom Scan with Memory and Both registry scans ON. Also.... make sure that you activate IN-DEPTH scanning before you proceed.

    Then see that you have these options checked:
    Under Ad-Aware 6 Settings, Tweaks, Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-Aware 6 Settings, Tweaks, Cleaning Engine:
    "Let Windows remove files in use after reboot."

    Next ...

    Run Ad-Aware 6.
    Mark the objects you wish to eliminate for removal. There are many options available with a right-click.
    Make a Quarantine only if you do not have the Auto-Quarantine option ON.
    Then choose "Next" to remove the chosen objects.
    Finally ... Reboot

    Please read http://forums.techguy.org/t164245/s.html for further instructions, settings , etc.

    At that point, a fresh HT log would be useful.

    Once you are cleaned up, you might want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  12. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    You might want to visit http://www.wilderssecurity.net/index.html and download the following:

    SpywareBlaster v2.6.1
    SpywareGuard v2.2

    These will prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection.

    Lastly, consider installing IE-SPYAD, a registry file that adds a long list of known crapware to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm
     
  13. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Closed duplicate and merged triplicate. Hopefully everything still flows for you guys......
     
  14. angry newby

    angry newby Thread Starter

    Joined:
    Jul 22, 2003
    Messages:
    39
    Hi all. Many thanks to everyone who replied i really appreciate the help/ instruction. I did as instructed and checked the boxes in my hijack this log scan, then deleted the Adult-x dialer exe software. This time it did let me delete it so i was very pleased, but!
    after this when i connected to the internet no pages would be displayed. I was definitely connected because the icon was displayed and the box showing data speed transfer. Feeling brave! i opened system restore and restored to a point about a month ago (before all my hassle started). This seems to have worked and i am back on line! I see there are now a few more posts to my problem, some suggesting follow up advice about other anti-spyware software and the like. Unfortunately its hard for me to know what to do next. Obviously i don't want this to happen again but so many options are a little confusing for a newby like me!!
    Anyway thanks again for the help regards. Angry Newby.
     
  15. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Post a new hijack this log. Here, in this thread ;)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169973

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice