1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

websiteviewer and automatic dialup

Discussion in 'Virus & Other Malware Removal' started by danacolorado, Sep 21, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. danacolorado

    danacolorado Thread Starter

    Joined:
    Sep 20, 2004
    Messages:
    6
    Hi, I a version of the WebSiteViewer folder and unauthorized dialup program problem. It kicks me offline and tries to dialup under it's own program. From what I can tell, a new folder was created/installed C:\ Program Files\WebSiteViewer and a link on my desktop and link in C:\ Program Files that looks like a dialup program and is named 124460. Also, when I connect to my regular dialup server, there is no sound, I'm guessing because when it kicks me off my regular server and wants to connect to its own, I wouldn't notice. I also get a lot of Program Errors: iexplore.exe has generated error and will be closedÂ…
    I run windows 2000.

    I updated CWShredder to the current one, v1.59.1 ran CWShredder in the fix mode and CWS.Smartseach was removed.

    I then updated HijackThis to v1.98.2 and here is the log, can anyone please help?

    Logfile of HijackThis v1.98.2
    Scan saved at 10:31:41 PM, on 9/20/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Navnt\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\Navnt\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\twink64.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\winnt\rundll32.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Downloaded Program Files\lcldxogv.exe
    C:\Program Files\WebSiteViewer\124460.dlr
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\system32\rundll32.exe
    c:\124460.exe
    C:\WINNT\Downloaded Program Files\itmmrisd.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Downloaded Program Files\ha.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\win.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\explorer.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Virus_spyware stuff\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.search-center.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-center.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.istarthere.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\syskey.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\system32\jfi.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Shell] c:\ray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [Winhost] C:\WINNT\win.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [wcjlrcx0h1] C:\WINNT\pnbjhzel7y.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [StartPage] C:\winnt\rundll32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O12 - Plugin for .com/posta?s=ac&i=888278075&k=HK4AIMY7V6&t=10051&sii=31885615&tii=1&rti=0: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: {00135DB4-651B-5DF7-79F8-54842240004C} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {02C06470-5B8F-6370-ECF8-614370300747} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {0396EC56-E2F1-61DF-EAC1-6CA8618B16A0} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {0C33F0FF-A4AA-69BC-4C1D-317034AA3CD2} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/285/online.chm::/on-line.exe
    O16 - DPF: {1100A8EC-0E73-222B-EE1B-139757950335} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://c:/x.mht!file:///c:/pl.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
    O16 - DPF: {124CB4F7-2E64-2E1C-DBF1-03414380307A} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {195A58DB-650C-4C7C-D09A-7CE102D0E834} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {1D26360D-724D-69B8-9AD2-24261A2A003D} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {22A9AC25-FF8F-0437-5F00-5C5A22EAAF40} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {2AE4F823-1E44-5D74-E70F-396A0256B054} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {357C1956-B1A1-2EFB-7E2A-48D83A7CA6C6} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {37685A8F-E78C-2684-CA87-3E50445A676D} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {3CC1828C-CF37-3C0F-F0B7-418330EEACD1} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {3E481B57-BCED-63B5-137F-7B45354452D5} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {53F813B9-65A1-6EA1-5DB0-62EE76E51A7C} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {551C3FD2-36D5-728E-B573-1EBE31FE2DBE} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {55522676-A0FD-5355-8844-649047F7B429} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {56F75F35-C3BC-5A57-031E-3EA5471E42F0} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5922E1ED-D42A-37BA-9582-3B71478337B2} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5B0A160F-9A21-059D-68E8-082B17027B91} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5BB823CE-C1DB-4B1B-C7AE-04E94CD6983B} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5CE1F561-AD85-2489-6F67-2BA33AFB06CA} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5E479500-A62E-1CFB-3BFF-1DD64D7FC00E} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5F648A9F-085A-5A18-6331-3CB062D00232} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {61A398D0-85EE-40B7-F3C2-482B64B59B24} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {663C8FEF-1EF9-11CF-A3DB-080036F12502} - ms-its:mhtml:file://c:\nosuch.mht!http://67.18.129.78/b/bd/1/x.chm::/load.exe
    O16 - DPF: {6EBAAF51-AB06-2ECC-179D-3DEF4B72BB23} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {6EC36077-8725-53FF-666F-16EA387680BA} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {71EFFE20-E34D-6AB7-2DFF-4EE76EC0E0AD} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {7F25DAF1-4A6F-592E-57EB-06AE4D1A633F} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
     
  2. wobin

    wobin

    Joined:
    Sep 11, 2004
    Messages:
    32
    Did you run Spybot an Ad-Aware?
     
  3. danacolorado

    danacolorado Thread Starter

    Joined:
    Sep 20, 2004
    Messages:
    6
    not initially. I just downloaded Spybot version 1.3 and it found and fixed 73 problems. here is the new hijackthis log

    Logfile of HijackThis v1.98.2
    Scan saved at 8:52:15 AM, on 9/21/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Navnt\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Navnt\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\system32\twink64.exe
    C:\WINNT\win.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\winnt\rundll32.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\rundll32.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Virus_spyware stuff\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.search-center.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-center.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUS_~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\syskey.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\system32\jfi.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Shell] c:\ray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\twink64.exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [Winhost] C:\WINNT\win.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [wcjlrcx0h1] C:\WINNT\pnbjhzel7y.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [StartPage] C:\winnt\rundll32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O12 - Plugin for .com/posta?s=ac&i=888278075&k=HK4AIMY7V6&t=10051&sii=31885615&tii=1&rti=0: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at0_x.cab
    O16 - DPF: {00135DB4-651B-5DF7-79F8-54842240004C} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {02C06470-5B8F-6370-ECF8-614370300747} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {0396EC56-E2F1-61DF-EAC1-6CA8618B16A0} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {0C33F0FF-A4AA-69BC-4C1D-317034AA3CD2} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/285/online.chm::/on-line.exe
    O16 - DPF: {1100A8EC-0E73-222B-EE1B-139757950335} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
    O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
    O16 - DPF: {124CB4F7-2E64-2E1C-DBF1-03414380307A} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {195A58DB-650C-4C7C-D09A-7CE102D0E834} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {1D26360D-724D-69B8-9AD2-24261A2A003D} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {22A9AC25-FF8F-0437-5F00-5C5A22EAAF40} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {2AE4F823-1E44-5D74-E70F-396A0256B054} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {357C1956-B1A1-2EFB-7E2A-48D83A7CA6C6} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {37685A8F-E78C-2684-CA87-3E50445A676D} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {3CC1828C-CF37-3C0F-F0B7-418330EEACD1} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {3E481B57-BCED-63B5-137F-7B45354452D5} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
    O16 - DPF: {53F813B9-65A1-6EA1-5DB0-62EE76E51A7C} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {551C3FD2-36D5-728E-B573-1EBE31FE2DBE} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {55522676-A0FD-5355-8844-649047F7B429} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {56F75F35-C3BC-5A57-031E-3EA5471E42F0} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5922E1ED-D42A-37BA-9582-3B71478337B2} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5B0A160F-9A21-059D-68E8-082B17027B91} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5BB823CE-C1DB-4B1B-C7AE-04E94CD6983B} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5CE1F561-AD85-2489-6F67-2BA33AFB06CA} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5E479500-A62E-1CFB-3BFF-1DD64D7FC00E} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {5F648A9F-085A-5A18-6331-3CB062D00232} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {61A398D0-85EE-40B7-F3C2-482B64B59B24} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {663C8FEF-1EF9-11CF-A3DB-080036F12502} - ms-its:mhtml:file://c:\nosuch.mht!http://67.18.129.78/b/bd/1/x.chm::/load.exe
    O16 - DPF: {6EBAAF51-AB06-2ECC-179D-3DEF4B72BB23} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {6EC36077-8725-53FF-666F-16EA387680BA} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {71EFFE20-E34D-6AB7-2DFF-4EE76EC0E0AD} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {7F25DAF1-4A6F-592E-57EB-06AE4D1A633F} - http://66.117.42.151/1/gdnUS20.exe
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O18 - Protocol: relatedlinks - {CD8D1CAA-FE4A-45DF-A06C-028AAF1821DE} - (no file)
     
  4. wobin

    wobin

    Joined:
    Sep 11, 2004
    Messages:
    32
    Please download ad-aware: click here and run it.
    Before you run it, check for updates and download them.
    • Use custom scanning options -> Customize
    • Drives & Folders section -> check "Scan within archives"
    • Memory & Registry -> check the first three options
    • Activate "in depth scan"
    • Save options and scan
    This could take a while. After scanning, right click on log and select all. Put in quarantine and delete them.

    After this a mod should help.


    But i think it should be safe to run hijackthis again, and fix:
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUS_~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll

    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll

    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\syskey.dll

    But please wait untill a mod confirms...!

    ps: you can also download CW Shredder. (google it) "FIX"
     
  5. danacolorado

    danacolorado Thread Starter

    Joined:
    Sep 20, 2004
    Messages:
    6
    Thanks for all the help. I already have run CWShredder and no variants found. I did some searching on the net and found that Twink64 is a bad program, and I deleted that and the system works better.
    But I've also noticed an application located on C:\ and the name of it is 1 and there is no icon with it(but a gray square appears if you put the mouse over it)

    I did download Ad-Aware SE 1.05 and it cleaned up alot. I re-ran Spybot and then hijackthis and here is the following results. I still have a few pop-ups, but the most annoying is when I am surving, usually after a couple mins, I get an error message: iexplore.exe has generated an error and will be close, and log entry will be created...

    Thanks
    Logfile of HijackThis v1.98.2
    Scan saved at 3:25:23 PM, on 9/22/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Navnt\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\Navnt\vptray.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\WINNT\win.exe
    C:\Program Files\Virus_spyware stuff\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.search-center.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-center.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUS_~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\syskey.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Search - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINNT\system32\jfi.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Shell] c:\ray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Winhost] C:\WINNT\win.exe
    O4 - HKLM\..\Run: [saap] c:\winnt\180solutions\saap.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O12 - Plugin for .com/posta?s=ac&i=888278075&k=HK4AIMY7V6&t=10051&sii=31885615&tii=1&rti=0: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/285/online.chm::/on-line.exe
    O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
    O16 - DPF: {663C8FEF-1EF9-11CF-A3DB-080036F12502} - ms-its:mhtml:file://c:\nosuch.mht!http://67.18.129.78/b/bd/1/x.chm::/load.exe
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
     
  6. wobin

    wobin

    Joined:
    Sep 11, 2004
    Messages:
    32
    K, your log is looking much better. But there still is a lot of cleaning-up to do. But i don't have enough knowledge to know what you should delete, and what not. So i hope a mod or someone with a bit more exp. can help...:p
    Here's what i think, but wait untill someone else confirms !!!

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUS_~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll

    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\syskey.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)

    O12 - Plugin for .com/posta?s=ac&i=888278075&k=HK4AIMY7V6&t=10051&sii=31885615&tii=1&rti=0: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/285/online.chm::/on-line.exe


    Wait untill a mod or someone else confirms. Or i ll try to contact someone... :D
     
  7. Chicon

    Chicon

    Joined:
    Jul 29, 2004
    Messages:
    6,650
    Hi Wobin,

    These entries must be fixed :

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll Trojan.Win32.Dialer.bi

    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-111111111111} - C:\WINNT\system32\backup.dll

    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDB57890086B} - C:\WINNT\syskey.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.225.177.13/285/online.chm::/on-line.exe

    The 3 DLL files must be deleted (one is a virus)
     
  8. danacolorado

    danacolorado Thread Starter

    Joined:
    Sep 20, 2004
    Messages:
    6
    Thanks, with a computer friend, we figured out 5 of them and deleted them last night, but missed the Trojan.Win32.Dialer.bi:

    O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINNT\questmod.dll

    I deleted it and here is my log(hopefully final one)

    Logfile of HijackThis v1.98.2
    Scan saved at 9:57:30 AM, on 9/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Navnt\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINNT\win.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Virus_spyware stuff\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUS_~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Winhost] C:\WINNT\win.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
    O12 - Plugin for .com/posta?s=ac&i=888278075&k=HK4AIMY7V6&t=10051&sii=31885615&tii=1&rti=0: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1A5474F-40BF-4F15-8357-EFB1282D89FC}: NameServer = 128.198.1.250 128.198.1.51


    Thanks, and I appreciate all your help
     
  9. wobin

    wobin

    Joined:
    Sep 11, 2004
    Messages:
    32
    Tnx Chicon, didn't know "questmod.dll" was a trojan... :(

    I think your log looks fine. Or do you still have troubles with your IE?
     
  10. danacolorado

    danacolorado Thread Starter

    Joined:
    Sep 20, 2004
    Messages:
    6
    considering where I was a couple days ago, it is working fantastic. Thanks.

    I did just have a couple pop ups, but I have the websites blocked, so hopefully not much else is out there. I think I'll keep running spybot and adaware and hopefully it will be 100% perfect.

    But I think it is good for now. If anything else needs to be done, my HJT is posted in the previous reply.
    Thanks a lot!

    Dana
     
  11. wobin

    wobin

    Joined:
    Sep 11, 2004
    Messages:
    32
    You re welcome! :)

    Ok. You should run spybot S&D once every week. The same for AdAware. Those two are the cleaners of your system.
    Pop ups, i use StopZilla.
     
  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    This did not need to be fixed with Hijack This:

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUS_~1\SPYBOT~1\SDHelper.dll

    That is protection put there by Spybot to help protect from the nasties!

    This is the google toolbar and did not need to be fixed:

    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

    These are also legitimate plugins for IE and did not need to be fixed.

    O12 - Plugin for .com/posta?s=ac&i=888278075&k=HK4AIMY7V6&t=10051&sii=31885615&tii=1&rti=0: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll


    Please leave the Hijack This logs to the people who know what they are doing! :mad:
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    NOT!!!!!

    Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search-center.com/search

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O4 - HKLM\..\Run: [Winhost] C:\WINNT\win.exe

    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)

    O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

    O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe


    Restart to safe mode.

    How to start your computer in safe mode

    First in safe mode click on My Computer then click Tools > Folder Options. In Folder options click on the View tab. Under Files and Folders tick "Show hidden files and folders" then uncheck "Hide file extensions for known file types" and uncheck "Hide protected operating system files (recommended)". Now click "Like current folder" then "Apply" and "OK"

    Now find and delete the C:\WINNT\win.exe file.

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Empty the Recycle Bin
     
  14. wobin

    wobin

    Joined:
    Sep 11, 2004
    Messages:
    32
    Yeah, i know. I was not sure, that s why i pm'ed Chicon... I'm very sorry, i was just trying to help. :eek: :eek: :eek:

    But hey, everybody has got to learn.
     
  15. danacolorado

    danacolorado Thread Starter

    Joined:
    Sep 20, 2004
    Messages:
    6
    Thanks I did everything in the safe mode and here are the results.
    Also, I still noticed when I dial up with my modem, it is still silent, no beeps or sounds.
    Thanks, Dana

    Logfile of HijackThis v1.98.2
    Scan saved at 3:11:19 PM, on 9/23/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Navnt\defwatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Virus_spyware stuff\hijackthis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\VIRUS_~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O12 - Plugin for .com/posta?s=ac&i=888278075&k=HK4AIMY7V6&t=10051&sii=31885615&tii=1&rti=0: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E1A5474F-40BF-4F15-8357-EFB1282D89FC}: NameServer = 128.198.1.250 128.198.1.51
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276354

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice