1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

www.xf2s.com/msn/wode.jpg in MSN dialog windows

Discussion in 'Virus & Other Malware Removal' started by rams_, Sep 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. rams_

    rams_ Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    8
    I need your help. Everytime I type something in MSN it always ends with a link to www.xf2s.com/msn/wode.jpg. I can't lose it, does anyone know how to remove it? I would be gratefeul for any help.
     
  2. Chicon

    Chicon

    Joined:
    Jul 29, 2004
    Messages:
    6,650
    Hi rams,

    Why to lament ? She is very cute ! :p
    I suggest you to download the last version of HijackThis (v. 1.98.2) from http://www.tomcoyote.org/hjt/
    Extract the zip file and copy the .exe file in a folder (Program Files for example), not on the desktop or a temp folder.
    Run HijackThis.exe, click the Scan button, click the Save log button and post your log file.
    Please don't fix anything yet
     
  3. rams_

    rams_ Thread Starter

    Joined:
    Sep 11, 2004
    Messages:
    8
    Logfile of HijackThis v1.98.2
    Scan saved at 19:13:57, on 11.09.2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\WINDOWS\system32\syslray.exe
    C:\WINDOWS\system32\moniker.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
    O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
     
  4. rtty

    rtty

    Joined:
    May 11, 2003
    Messages:
    294
    First could you please these files (C:\WINDOWS\system32\syslray.exe
    and C:\WINDOWS\system32\moniker.exe) in a zipped file and attach a copy of that zipped file and send it to me here ([email protected]). Please include a link to this thread so I'll remember where it came from.
    The files might be hidden, so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode or with browser closed.

    Run Hijack This again and put a check by these. Close all windows except Hijack This and click Fix checked

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe

    O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)


    Restart to safe mode.

    How to start your computer in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Find and delete:

    The C:\WINDOWS\system32\syslray.exe file
    The C:\WINDOWS\system32\moniker.exe file

    Also do a file search for HKT1.DLL file, if found delete it.

    Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

    Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Empty the Recycle Bin


    IMPORTANT!: I highly recommend that you go to Windows update(http://v4.windowsupdate.microsoft.com/en/default.asp) and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows.
     
  5. flight_23

    flight_23

    Joined:
    Sep 19, 2004
    Messages:
    14
  6. flight_23

    flight_23

    Joined:
    Sep 19, 2004
    Messages:
    14
    ey u found a solution to fix the link problem because it'll be very gratefull to give me and other people a way to fix it
     
  7. flight_23

    flight_23

    Joined:
    Sep 19, 2004
    Messages:
    14
  8. flight_23

    flight_23

    Joined:
    Sep 19, 2004
    Messages:
    14
    to chicon im going off the reply u gave rams and should i do the same well i will any way here's my log Logfile of HijackThis v1.98.2
    Scan saved at 4:13:13 PM, on 19/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\G-VGA.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\program files\Telstra\Signup\tbpt.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\windows\system32\ossproxy.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\WINDOWS\system32\syslray.exe
    C:\WINDOWS\system32\moniker.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Documents and Settings\Coco\Application Data\ruos.exe
    C:\WINDOWS\System32\qwha.exe
    C:\sp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Coco\My Documents\My Received Files\hijackthis[www.click-now.net]\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
    O2 - BHO: C:\WINDOWS\lbbho.dll - {4206F7DC-15C7-4DE0-890A-F08036C789CB} - C:\WINDOWS\lbbho.dll
    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
    O2 - BHO: (no name) - {6EFA145A-E437-2BE1-8050-64550DA77B18} - C:\WINDOWS\System32\ymc.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\Run: [tid] C:\WINDOWS\tid.exe
    O4 - HKLM\..\Run: [SexCams_au] C:\Program Files\SCom\Dialers\SexCams_au\SexCams_au.exe /dontdial
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
    O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Aome] C:\Documents and Settings\Coco\Application Data\ruos.exe
    O4 - HKCU\..\Run: [Hsildv] C:\WINDOWS\System32\qwha.exe
    O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\System32\searchsetter[1].exe
    O4 - HKCU\..\Run: [sp] C:\sp.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)
    O9 - Extra 'Tools' menuitem: FUNNY SEXY PICTURES - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
    O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7079989B-A0C5-494C-B7AC-DB720C713EC7}: NameServer = 203.49.70.92 139.134.2.190
     
  9. flight_23

    flight_23

    Joined:
    Sep 19, 2004
    Messages:
    14
    if any one has a solution to my problem send it to my private messeges or not just like normal thats it. thanx
     
  10. Chicon

    Chicon

    Joined:
    Jul 29, 2004
    Messages:
    6,650
    Hi flight23,

    Hum! There are many craps to fix and to remove. You have many work to do.
    First of all, upgrade your antivirus definitions list in your usual way.
    After that, proceed to the following steps :

    1° Log on in safe mode (press the F8 key many times during the booting process) with your administrator account;

    2° Close all open windows and run HijackThis to fix the following entries :

    O2 - BHO: C:\WINDOWS\lbbho.dll - {4206F7DC-15C7-4DE0-890A-F08036C789CB} - C:\WINDOWS\lbbho.dll
    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
    O2 - BHO: (no name) - {6EFA145A-E437-2BE1-8050-64550DA77B18} - C:\WINDOWS\System32\ymc.dll
    O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll
    O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

    O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
    O4 - HKLM\..\Run: [tid] C:\WINDOWS\tid.exe
    O4 - HKLM\..\Run: [SexCams_au] C:\Program Files\SCom\Dialers\SexCams_au\SexCams_au.exe /dontdial
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
    O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
    O4 - HKCU\..\Run: [Aome] C:\Documents and Settings\Coco\Application Data\ruos.exe
    O4 - HKCU\..\Run: [Hsildv] C:\WINDOWS\System32\qwha.exe
    O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\System32\searchsetter[1].exe
    O4 - HKCU\..\Run: [sp] C:\sp.exe

    O9 - Extra button: (no name) - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)
    O9 - Extra 'Tools' menuitem: FUNNY SEXY PICTURES - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)

    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net

    O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
    O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.com...ebio5_1_6_0.cab

    3° Make all files and folders visible : double click the My Computer icon, click Tools, click Folder Options, select Display tab, check "Display hidden files and folders", click OK to apply

    4° With your Add/Remove Programs utility : uninstall (if you find them) BullsEye, Scom, NewDotNet

    5° Delete the following folders :

    C:\Program Files\NewDotNet
    C:\Program Files\SCom
    C:\Program Files\BullsEye Network
    C:\Program Files\NewDotNet

    6° Delete the following files :

    C:\WINDOWS\lbbho.dll
    C:\WINDOWS\System32\ymc.dll
    C:\WINDOWS\2_0_1browserhelper2.dll
    C:\WINDOWS\System32\nvms.dll
    C:\WINDOWS\3_0_1browserhelper3.dll
    C:\WINDOWS\System32\mscb.dll
    C:\WINDOWS\System32\apuc.dll
    C:\WINDOWS\System32\msbe.dll
    C:\WINDOWS\System32\wuamgrd.exe
    C:\WINDOWS\tid.exe
    c:\windows\system32\ossproxy.exe
    C:\WINDOWS\system32\syslray.exe
    C:\WINDOWS\system32\moniker.exe
    C:\Documents and Settings\Coco\Application Data\ruos.exe
    C:\WINDOWS\System32\qwha.exe
    C:\WINDOWS\System32\searchsetter[1].exe
    C:\sp.exe

    7° Empty the recycle bin;

    8° Run your anti-virus (a complete scan of all drives);

    9° Reboot and log with your administrator account, go to the site www.windowsupdate.com and get the last critical security patches (you will be redirected automatically).
     
  11. nehs16

    nehs16

    Joined:
    Sep 20, 2004
    Messages:
    8
    heyy please help me toooooo
    i got windows 98
    and i ahve da smae problem
    should i download dat hijack file?

    PS...ma first post./.:)
     
  12. nehs16

    nehs16

    Joined:
    Sep 20, 2004
    Messages:
    8
  13. nehs16

    nehs16

    Joined:
    Sep 20, 2004
    Messages:
    8
    hey chicon
    should i download tht file too.?/
    heyy plzz help yaa
     
  14. Chicon

    Chicon

    Joined:
    Jul 29, 2004
    Messages:
    6,650
    Hi nehs16,

    First of all, do a free online anti-virus scan there : http://housecall.trendmicro.com/
    If you get a report which states that some virus have not been removed for whatever reason, please post the report in this thread.
    After that, you download the last version of HijackThis (v. 1.98.2) from http://www.tomcoyote.org/hjt/
    Extract the zip file and copy the .exe file in a folder (Program Files for example), not on the desktop or a temp folder.
    Close all open windows, run HijackThis.exe, click the Scan button, click the Save log button and post your log file.
     
  15. gata_negra

    gata_negra

    Joined:
    Sep 20, 2004
    Messages:
    8
    This is my log file, i hate that thing...thanks for ur help.


    Logfile of HijackThis v1.98.2
    Scan saved at 05:26:26 p.m., on 20/09/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
    C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
    C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Archivos de programa\Common files\updmgr\updmgr.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\program files\altnet\points manager\points manager.exe
    C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
    C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    C:\Archivos de programa\Winamp\winampa.exe
    C:\WINDOWS\system32\syslray.exe
    C:\WINDOWS\system32\moniker.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Archivos de programa\Netscape\Netscape\Netscp.exe
    C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
    C:\Archivos de programa\Lexmark X125\LEX125SU.exe
    C:\Archivos de programa\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    C:\WINDOWS\webshots.scr
    C:\PROGRA~2\Altnet\DOWNLO~1\asm.exe
    C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Archivos de programa\MSN Messenger\msnmsgr.exe
    C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\utils\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
    R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKLM\..\Run: [CMESys] "C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
    O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
    O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\Netscape\Netscape\Netscp.exe" -turbo
    O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\Launcher.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: GStartup.lnk = C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Utilidad de valores de Lexmark X125.lnk = C:\Archivos de programa\Lexmark X125\LEX125SU.exe
    O4 - Global Startup: ZDConfig.lnk = C:\Archivos de programa\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
    O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_ES_XP.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272722

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice