www.xf2s.com/msn/wode.jpg in MSN dialog windows

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

rams_

Thread Starter
Joined
Sep 11, 2004
Messages
8
I need your help. Everytime I type something in MSN it always ends with a link to www.xf2s.com/msn/wode.jpg. I can't lose it, does anyone know how to remove it? I would be gratefeul for any help.
 
Joined
Jul 29, 2004
Messages
6,650
Hi rams,

Why to lament ? She is very cute ! :p
I suggest you to download the last version of HijackThis (v. 1.98.2) from http://www.tomcoyote.org/hjt/
Extract the zip file and copy the .exe file in a folder (Program Files for example), not on the desktop or a temp folder.
Run HijackThis.exe, click the Scan button, click the Save log button and post your log file.
Please don't fix anything yet
 

rams_

Thread Starter
Joined
Sep 11, 2004
Messages
8
Logfile of HijackThis v1.98.2
Scan saved at 19:13:57, on 11.09.2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\WINDOWS\system32\syslray.exe
C:\WINDOWS\system32\moniker.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
 
Joined
May 11, 2003
Messages
294
First could you please these files (C:\WINDOWS\system32\syslray.exe
and C:\WINDOWS\system32\moniker.exe) in a zipped file and attach a copy of that zipped file and send it to me here ([email protected]). Please include a link to this thread so I'll remember where it came from.
The files might be hidden, so click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode or with browser closed.

Run Hijack This again and put a check by these. Close all windows except Hijack This and click Fix checked

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe

O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)


Restart to safe mode.

How to start your computer in safe mode

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Find and delete:

The C:\WINDOWS\system32\syslray.exe file
The C:\WINDOWS\system32\moniker.exe file

Also do a file search for HKT1.DLL file, if found delete it.

Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Now click the "Delete Cookies" button and click OK.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Empty the Recycle Bin


IMPORTANT!: I highly recommend that you go to Windows update(http://v4.windowsupdate.microsoft.com/en/default.asp) and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows.
 
Joined
Sep 19, 2004
Messages
14
ey u found a solution to fix the link problem because it'll be very gratefull to give me and other people a way to fix it
 
Joined
Sep 19, 2004
Messages
14
to chicon im going off the reply u gave rams and should i do the same well i will any way here's my log Logfile of HijackThis v1.98.2
Scan saved at 4:13:13 PM, on 19/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\G-VGA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\Telstra\Signup\tbpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\ossproxy.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\syslray.exe
C:\WINDOWS\system32\moniker.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Coco\Application Data\ruos.exe
C:\WINDOWS\System32\qwha.exe
C:\sp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Coco\My Documents\My Received Files\hijackthis[www.click-now.net]\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/
O2 - BHO: C:\WINDOWS\lbbho.dll - {4206F7DC-15C7-4DE0-890A-F08036C789CB} - C:\WINDOWS\lbbho.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {6EFA145A-E437-2BE1-8050-64550DA77B18} - C:\WINDOWS\System32\ymc.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VGAUtil] C:\WINDOWS\System32\G-VGA.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [tid] C:\WINDOWS\tid.exe
O4 - HKLM\..\Run: [SexCams_au] C:\Program Files\SCom\Dialers\SexCams_au\SexCams_au.exe /dontdial
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aome] C:\Documents and Settings\Coco\Application Data\ruos.exe
O4 - HKCU\..\Run: [Hsildv] C:\WINDOWS\System32\qwha.exe
O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\System32\searchsetter[1].exe
O4 - HKCU\..\Run: [sp] C:\sp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)
O9 - Extra 'Tools' menuitem: FUNNY SEXY PICTURES - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7079989B-A0C5-494C-B7AC-DB720C713EC7}: NameServer = 203.49.70.92 139.134.2.190
 
Joined
Sep 19, 2004
Messages
14
if any one has a solution to my problem send it to my private messeges or not just like normal thats it. thanx
 
Joined
Jul 29, 2004
Messages
6,650
Hi flight23,

Hum! There are many craps to fix and to remove. You have many work to do.
First of all, upgrade your antivirus definitions list in your usual way.
After that, proceed to the following steps :

1° Log on in safe mode (press the F8 key many times during the booting process) with your administrator account;

2° Close all open windows and run HijackThis to fix the following entries :

O2 - BHO: C:\WINDOWS\lbbho.dll - {4206F7DC-15C7-4DE0-890A-F08036C789CB} - C:\WINDOWS\lbbho.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {6EFA145A-E437-2BE1-8050-64550DA77B18} - C:\WINDOWS\System32\ymc.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CHungryBHO Object - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINDOWS\neti.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINDOWS\3_0_1browserhelper3.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\System32\apuc.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O4 - HKLM\..\Run: [{F7D90BD2-14A9-11d3-AD9E-00AA0064EC94}] C:\program files\Telstra\Signup\tbpt.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [tid] C:\WINDOWS\tid.exe
O4 - HKLM\..\Run: [SexCams_au] C:\Program Files\SCom\Dialers\SexCams_au\SexCams_au.exe /dontdial
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Aome] C:\Documents and Settings\Coco\Application Data\ruos.exe
O4 - HKCU\..\Run: [Hsildv] C:\WINDOWS\System32\qwha.exe
O4 - HKCU\..\Run: [SearchSetter] C:\WINDOWS\System32\searchsetter[1].exe
O4 - HKCU\..\Run: [sp] C:\sp.exe

O9 - Extra button: (no name) - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)
O9 - Extra 'Tools' menuitem: FUNNY SEXY PICTURES - {FFFFFFFF-ABBB-FFFF-FFFF-FFFFFFFFFFFF} - http://top.holm.ru/cgi-bin/link.cgi?l=http (file missing)

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} (CQD2Loader Object) - http://smartdownloader.com/installer.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.com...ebio5_1_6_0.cab

3° Make all files and folders visible : double click the My Computer icon, click Tools, click Folder Options, select Display tab, check "Display hidden files and folders", click OK to apply

4° With your Add/Remove Programs utility : uninstall (if you find them) BullsEye, Scom, NewDotNet

5° Delete the following folders :

C:\Program Files\NewDotNet
C:\Program Files\SCom
C:\Program Files\BullsEye Network
C:\Program Files\NewDotNet

6° Delete the following files :

C:\WINDOWS\lbbho.dll
C:\WINDOWS\System32\ymc.dll
C:\WINDOWS\2_0_1browserhelper2.dll
C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\3_0_1browserhelper3.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\apuc.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\tid.exe
c:\windows\system32\ossproxy.exe
C:\WINDOWS\system32\syslray.exe
C:\WINDOWS\system32\moniker.exe
C:\Documents and Settings\Coco\Application Data\ruos.exe
C:\WINDOWS\System32\qwha.exe
C:\WINDOWS\System32\searchsetter[1].exe
C:\sp.exe

7° Empty the recycle bin;

8° Run your anti-virus (a complete scan of all drives);

9° Reboot and log with your administrator account, go to the site www.windowsupdate.com and get the last critical security patches (you will be redirected automatically).
 
Joined
Sep 20, 2004
Messages
8
heyy please help me toooooo
i got windows 98
and i ahve da smae problem
should i download dat hijack file?

PS...ma first post./.:)
 
Joined
Jul 29, 2004
Messages
6,650
Hi nehs16,

First of all, do a free online anti-virus scan there : http://housecall.trendmicro.com/
If you get a report which states that some virus have not been removed for whatever reason, please post the report in this thread.
After that, you download the last version of HijackThis (v. 1.98.2) from http://www.tomcoyote.org/hjt/
Extract the zip file and copy the .exe file in a folder (Program Files for example), not on the desktop or a temp folder.
Close all open windows, run HijackThis.exe, click the Scan button, click the Save log button and post your log file.
 
Joined
Sep 20, 2004
Messages
8
This is my log file, i hate that thing...thanks for ur help.


Logfile of HijackThis v1.98.2
Scan saved at 05:26:26 p.m., on 20/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
C:\Archivos de programa\Common files\updmgr\updmgr.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\program files\altnet\points manager\points manager.exe
C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\carpserv.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\WINDOWS\system32\syslray.exe
C:\WINDOWS\system32\moniker.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Netscape\Netscape\Netscp.exe
C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
C:\Archivos de programa\Lexmark X125\LEX125SU.exe
C:\Archivos de programa\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
C:\WINDOWS\webshots.scr
C:\PROGRA~2\Altnet\DOWNLO~1\asm.exe
C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\utils\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\ARCHIV~1\PERFEC~1\BHO\PERFEC~1.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Archivos de programa\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [updmgr] C:\Archivos de programa\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [CMESys] "C:\Archivos de programa\Archivos comunes\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [realone_nt2004] C:\WINDOWS\system32\syslray.exe
O4 - HKLM\..\Run: [realone_nt2003] C:\WINDOWS\system32\moniker.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Archivos de programa\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Webshots.lnk = C:\Archivos de programa\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GStartup.lnk = C:\Archivos de programa\Archivos comunes\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Utilidad de valores de Lexmark X125.lnk = C:\Archivos de programa\Lexmark X125\LEX125SU.exe
O4 - Global Startup: ZDConfig.lnk = C:\Archivos de programa\ZyDAS Technology Corporation\ZyDAS Wireless LAN\ZDConfig.exe
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Archivos de programa\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_ES_XP.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top