Guest Ryan Posted December 12, 2004 Share Posted December 12, 2004 The program im usin 'spybot search and destroy' says its gone, but it's not. fucing lying bastardin thing.... Help me please Quote Link to comment Share on other sites More sharing options...
Steve Posted December 12, 2004 Share Posted December 12, 2004 Spybot is pants. First off, try CWShredder: - http://cwshredder.net/bin/CWShredder.exe Download it and run it (no installation required). Just fire it up and hit the Fix button. If it's a Cool Web Search infection, this will kill it. If that doesn't do the trick then......... Download HijackThis from here: - http://www.tomcoyote.org/hjt/ Create a folder for it on your desktop and place HijackThis into it (unzipped). Reboot your PC and before you start up any other programs, run HijackThis and click Scan then Save Log. Save the log somewhere and it will open - copy and paste the entire contents of it into here. Quote Link to comment Share on other sites More sharing options...
Guest Ryan Posted December 12, 2004 Share Posted December 12, 2004 Logfile of HijackThis v1.98.2Scan saved at 11:18:57 PM, on 12/12/04Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\SPOOL32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\MNMSRVC.EXEC:\WINDOWS\SYSTEM\SSDPSRV.EXEC:\WINDOWS\SYSTEM\JAVAVJ32.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\STARTER.EXEC:\WINDOWS\LOADQM.EXEC:\WINDOWS\SYSTEM\QTTASK.EXEC:\PROGRAM FILES\NORTON PERSONAL FIREWALL\IAMAPP.EXEC:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXEC:\WINDOWS\SYSTEM\LVCOMS.EXEC:\WINDOWS\SYSTEM\STIMON.EXEC:\WINDOWS\RunDLL.exeC:\WINDOWS\RUNDLL32.EXEC:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXEC:\PROGRAM FILES\WINZIP\WZQKPICK.EXEC:\WINDOWS\SYSTEM\MSWHEEL.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\NORTON PERSONAL FIREWALL\SYMPROXYSVC.EXEC:\WINDOWS\SYSTEM\E_SICN03.EXEC:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISSERV.EXEC:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%sR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by FreeserveR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;https=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080;gopher=http://www-cache.freeserve.com:8080R3 - Default URLSearchHook is missingO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: Class - {67AE712E-10CA-AB2F-005B-3833F6FD8821} - C:\WINDOWS\SYSTEM\APIYH32.DLLO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [EnsoniqMixer] starter.exeO4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~2\point32.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottimeO4 - HKLM\..\Run: [Task Manager] tskman.exeO4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXEO4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXEO4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exeO4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXEO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXEO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [bCDetect] C:\WINDOWS\SYSTEM\BCDetect.exe deferO4 - HKLM\..\RunServices: [Task Manager] tskman.exeO4 - HKLM\..\RunServices: [Fpx] C:\WINDOWS\SYSTEM\mnmsrvc.exeO4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exeO4 - HKLM\..\RunServices: [JAVAVJ32.EXE] C:\WINDOWS\SYSTEM\JAVAVJ32.EXEO4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRYO4 - HKCU\..\Run: [instant Access] rundll32.exe p2esocks_1027.dll,InstantAccessO4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0O4 - HKCU\..\Run: [spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /QO4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exeO4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXEO4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXEO8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.htmlO8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.htmlO8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.htmlO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htmO9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\exio-kazemule-uk\index.htmlO9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)O15 - Trusted Zone: *.05p.comO15 - Trusted Zone: *.searchmiracle.comO15 - Trusted Zone: *.clickspring.netO15 - Trusted Zone: *.blazefind.comO15 - Trusted Zone: *.mt-download.comO15 - Trusted Zone: *.flingstone.comO15 - Trusted Zone: *.slotch.comO15 - Trusted Zone: *.xxxtoolbar.comO15 - Trusted Zone: *.my-internet.infoO15 - Trusted Zone: *.scoobidoo.comO15 - Trusted Zone: *.searchbarcash.comO15 - Trusted Zone: *.awmdabest.comO15 - Trusted Zone: *.frame.crazywinnings.comO15 - Trusted Zone: *.static.topconverting.comO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exeO16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_03) - O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) - O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cabO16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EC...UTH_1027_EN.cabO16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cabO17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1 Quote Link to comment Share on other sites More sharing options...
Steve Posted December 12, 2004 Share Posted December 12, 2004 Holy shit!! That's some nasty infections mate! Gimme a few minutes on this one. Quote Link to comment Share on other sites More sharing options...
Steve Posted December 12, 2004 Share Posted December 12, 2004 OK well this is another one of those cases where I would say to wipe your machine, but if you wanna try and fix it then we'll give it a go: - First off, press Control/Alt/Delete and end this process: - MWSOEMON.EXE Next, go into Add/Remove Programs and look for anything that looks like MyWay Bar, My Search Bar, My Web Bar, shit like that and uninstall it. Don't worry if you don't see anything like that. Also, look for something called either Instant Access or Instant Access Dialler and remove that. That Spyware Doctor crap can go too. Next, run HijackThis and put a check mark next to all of these: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.webtvparty.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.webtvparty.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.webtvparty.com/searchbar.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\sbvjv.dll/sp.html#28129 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.locators.com/search.php?que=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R3 - Default URLSearchHook is missing O2 - BHO: Class - {67AE712E-10CA-AB2F-005B-3833F6FD8821} - C:\WINDOWS\SYSTEM\APIYH32.DLL O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE O4 - HKCU\..\Run: [instant Access] rundll32.exe p2esocks_1027.dll,InstantAccess O4 - HKCU\..\Run: [spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Downloads - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\exio-kazemule-uk\index.html O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file) O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file) O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.awmdabest.com O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.static.topconverting.com O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} (EGEGAUTH Class) - http://akamai.downloadv3.com/binaries/P2EC...UTH_1027_EN.cab O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab Close ALL browser windows and hit Fix Checked. Reboot into Safe Mode by tapping F8 as your PC boots. Start Windows Explorer and hit Tools then Folder Options. On the View tab, make sure the following are set like this: - Show hidden files and folders (SELECTED) Hide extensions of known file types (NOT SELECTED) Then hit Apply then OK. Now, search on your machine for the following and delete them if found: - C:\WINDOWS\system\sbvjv.dll C:\WINDOWS\SYSTEM\APIYH32.DLL p2esocks_1027.dl There may also be a folder in Program Files on your drive called MyWebSearch or something very similar. If so, delete the entire folder. Now, empty all your temporary folders, including temporary internet files and cookies. Empty the recycle bin too. In fact, if you can download Crap Cleaner before you start this lengthy process, now would be a good time to run it. Reboot your PC into regular Windows. Start Internet Explorer and click Tools then Internet Options. Click on the Programs tab and hit Reset Web Settings. Then hit the General tab, retype your homepage into the appropriate box and hit Apply then OK. You might want to post another log at this point to see if any of it has come back. I then recommend you ditch Norton, cos it's quite clearly not doing you any favours! Get Kaspersky or F-Prot and use Sygate firewall. Also, you need to go to http://www.java.com and download the latest version of Sun's Java because yours is out of date. If you have a printer, print this shit out mate! Best of luck. Quote Link to comment Share on other sites More sharing options...
Guest Ryan Posted December 13, 2004 Share Posted December 13, 2004 Thanks steve. I love you. I'll have a stab at it. but i may end up wiping the fucker. i'll get back to you anyway Quote Link to comment Share on other sites More sharing options...
Steve Posted December 13, 2004 Share Posted December 13, 2004 No worries mate. It should work, but if I've missed even one thing then some of it, or worse, all of it could all come flooding back. If it does work, your PC should be noticeably faster anyway! One more thing - Run a registry cleaner such as RegSeeker once your PC is tidied up. Even though the spyware will be gone, there will still be the odd registry entry lurking about. Quote Link to comment Share on other sites More sharing options...
Guest Ryan Posted December 13, 2004 Share Posted December 13, 2004 Change of plan. i'll wipe it tomarrow lol. There was only a few things i needed to save to disk anyway. i dont keep anything to important on this computer. Thanks again steve. Quote Link to comment Share on other sites More sharing options...
Steve Posted December 13, 2004 Share Posted December 13, 2004 If you have a CD burner, download Sygate and Kaspersky and burn them to disc. Then install them before you connect to the net for the first time. There are links to those programs on here somewhere, along with the key you need for Kaspersky. Quote Link to comment Share on other sites More sharing options...
Guest Ryan Posted December 13, 2004 Share Posted December 13, 2004 sweet. i'll get on that Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted December 13, 2004 Share Posted December 13, 2004 Jesus... that's one hell of a log file! Quote Link to comment Share on other sites More sharing options...
2ndhand Posted December 13, 2004 Share Posted December 13, 2004 i fixed a pc that had a billion more spyware and virus programs than kaspersky and spybot could detect. it took hours to get em all off. run msconfig from the command line, then in the startup tab uncheck the fruity looking processes so they dont startup again (thus stopping you deleting them).in regedt32 (or regedit) go to the "run" section in (off the top of my head) users/software/microsoft/windows/currentversion/ and blast out the reg keys that are for spyware / error page redirecters / all these shitty programs. one note of caution though, dont stop / delete anything that is system / hardware related. if you are unsure of any of the running processes, google them and you'll find whether or not its a bad one. these little processes arent all necessarily harmful as such, but they can "influence" your web browsing. quite cleverly too. however when there is a brace of them running, the pc takes ages to start, runs slowly, and doesnt shut down correctly metaphorically it would be like a gypsy hooking his caravan to your car and hitching a lift without you realising. some caravans are easy to spot, whereas some have cloaking devices. . . . Quote Link to comment Share on other sites More sharing options...
Steve Posted December 13, 2004 Share Posted December 13, 2004 it took hours to get em all off. run msconfig from the command line, then in the startup tab uncheck the fruity looking processes so they dont startup again (thus stopping you deleting them).in regedt32 (or regedit) go to the "run" section in (off the top of my head) users/software/microsoft/windows/currentversion/ and blast out the reg keys that are for spyware / error page redirecters / all these shitty programs. That is essentially what HijackThis does. When you see an entry like this: - O4 - HKCU\..\Run: [instant Access] rundll32.exe p2esocks_1027.dll,InstantAccess .....the HKCU part is HKEY_CURRENT_USER, i.e. a registry key. HijackThis goes further than that though. It shows changes to your hosts file (which redirect you to other sites), Browser Helper Objects that have been added to your browser, items that have been added to the trusted zone, extra unwanted options that have been added to menus, changes in system wide policies etc. etc. It's far easier (and more powerful) than manually removing stuff because you will never get it all by sifting through the registry. Quote Link to comment Share on other sites More sharing options...
Nimrod Posted December 13, 2004 Share Posted December 13, 2004 what do you reckon to this log...? Logfile of HijackThis v1.98.2Scan saved at 14:53:44, on 13/12/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\RUNDLL32.EXEC:\WINDOWS\System32\DeltTray.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\System32\IEHost.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\System32\cnbjmon2.exeC:\Program Files\Winamp\winampa.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\iPod\bin\iPodService.exeC:\PROGRA~1\MOZILL~1\firefox.exeC:\WINDOWS\System32\wuauclt.exeC:\Program Files\iTunes\iTunes.exeC:\Program Files\WinAce\WinAce.exeC:\Program Files\WinAce\WinAce.exeC:\Documents and Settings\Matt\My Documents\INSTALLS\hijack this\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htmR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.snoopy.force9.co.uk/sos/index.phpR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/broadbandO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exeO4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [b1f7f4f5d29d] C:\WINDOWS\System32\cnbjmon2.exeO4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exeO9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1097436475937O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/clo/dev/ChatOCX/grab/ChatOCXProj.cab :50_50: Quote Link to comment Share on other sites More sharing options...
Guest Deeswift Posted December 13, 2004 Share Posted December 13, 2004 I can see from the above log that there's a load of unneccessary stuff running. Stuff like "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" you really don't need. You should Google each entry and do whatever is needed. As an example of how a Hijack This log should look, here's mine. There are just the neccessary things running: Logfile of HijackThis v1.98.2Scan saved at 15:50:01, on 13/12/2004Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\Explorer.EXEE:\Program files\Security\Hijack This!\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui Quote Link to comment Share on other sites More sharing options...
Steve Posted December 13, 2004 Share Posted December 13, 2004 Nimrod - there's actually a couple of mild viruses in there. First off, press Control/Alt/Delete and end these processes if they are running: - jusched.exerealsched.exeIEHost.exeqttask.execnbjmon2.exe Go into Add/Remove and see if MaxSpeed is on the list - uninstall it if it is. Now run HijackThis again and check off all of the following: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [b1f7f4f5d29d] C:\WINDOWS\System32\cnbjmon2.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe O16 - DPF: {8DA664DC-123E-4836-B7B3-6653A8B082AB} (ChatOCX Control) - http://www.igl.net/clo/dev/ChatOCX/grab/ChatOCXProj.cab Close ALL browser windows and hit Fix Checked. Empty all your temp files by running Disc Cleanup from the Start menu. Reboot, make sure you have hidden files showing then search for the following and delete them: - C:\WINDOWS\System32\SearchBar.htm C:\WINDOWS\System32\IEHost.exe C:\WINDOWS\System32\cnbjmon2.exe C:\WINDOWS\System32\ms.exe Then start Internet Explorer and hit Tools then Internet Options. On the Programs tab, hit Reset Web Settings then hit Apply then OK. Two other things - you have Sun's Java installed but you appear to be using Microsoft's version. Do a Google search on removing the MS one cos Sun's is better - you don't need both. The other thing is you seem to have no firewall or antivirus programs. At the very least get a firewall because the XP one is useless. Actually, here's the instructions for removing MS Java: - http://www.java.com/en/download/help/uninstall_msvm.jsp Quote Link to comment Share on other sites More sharing options...
Mixologist Posted December 13, 2004 Share Posted December 13, 2004 damn ryan your log files is HUGE Quote Link to comment Share on other sites More sharing options...
rygon Posted December 15, 2004 Share Posted December 15, 2004 ive just downloaded the new kaspersky but the harpoon.key doesnt work for it...any1 got a key that does????? Quote Link to comment Share on other sites More sharing options...
Sideshow Posted December 15, 2004 Share Posted December 15, 2004 did you import it, not just double click it?i got the new version that they released about 2 weeks ago and it was ok Quote Link to comment Share on other sites More sharing options...
Steve Posted December 15, 2004 Share Posted December 15, 2004 Yeah you don't double click it. Windows will think it's an invalid registry key if you do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.