Steve Posted November 17, 2005 Author Share Posted November 17, 2005 There's a couple of things that can be removed. Before we sort it out though, post another log using the latest version of HijackThis. It shows up more stuff than the version you used there. You can download it here: - http://www.majorgeeks.com/download3155.html Quote Link to comment Share on other sites More sharing options...
Nimrod Posted November 17, 2005 Share Posted November 17, 2005 nice one steve Logfile of HijackThis v1.99.1Scan saved at 14:58:26, on 17/11/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Java\jre1.5.0_02\bin\jusched.exeC:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exeC:\WINDOWS\System32\DeltTray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre1.5.0_02\bin\jucheck.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\System32\ctfmon.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\explorer.exeC:\PROGRA~1\MOZILL~1\firefox.exeC:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Documents and Settings\Matt\My Documents\INSTALLS\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nutrider.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/broadbandO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0O4 - HKLM\..\Run: [DeltTray] DeltTray.exeO4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimizeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exeO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -hO4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"O4 - Startup: AMSN.lnk = C:\Program Files\AMSN\amsn.exeO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{72ED4BB2-D4EA-4140-A4FF-239980244C8B}: NameServer = 192.168.1.1O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)O23 - Service: kavsvc - Kaspersky Labs - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exeO23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exeO23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) Quote Link to comment Share on other sites More sharing options...
Steve Posted November 17, 2005 Author Share Posted November 17, 2005 OK check off all of these: - O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exeO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exeO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cabO23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) Close all other windows and hit Fix Checked. Reboot into Safe Mode by tapping F8 as the PC is booting. Start Windows Explorer and hit Tools, then Folder Options. On the View tab, set the following like this: - Show hidden files and folders - CheckedHide extensions for known file types - NOT checkedHide protected operating system files (Recommended) - NOT checked Then hit Apply then OK. Search for the following file and delete it if found (it's possibly been deleted already so don't worry if it ain't there): - C:\WINDOWS\zeta.exe Reboot into regular Windows. Start IE and hit Tools then Internet Options. Click on the Security tab, then the Internet zone icon and make sure the security level has not been set to low. If it has, click Default Level, then hit Apply then OK. Finally, left click this link to download the latest version of Java: - http://jdl.sun.com/webapps/download/AutoDL?BundleId=10279 Once it's done, go to Add or Remove programs and uninstall your current version, then install this one. Job done. Quote Link to comment Share on other sites More sharing options...
Steve Posted November 17, 2005 Author Share Posted November 17, 2005 Oh yeah - I don't see a firewall running on your machine. If you don't have one, then download the free version of Sygate: - http://smb.sygate.com/products/spf_standard.htm Once installed, disable the built in XP firewall: - http://www.duxcw.com/faq/win/xp/firewall.htm Quote Link to comment Share on other sites More sharing options...
Nimrod Posted November 17, 2005 Share Posted November 17, 2005 steve, you are DA_MAN Quote Link to comment Share on other sites More sharing options...
Nimrod Posted November 17, 2005 Share Posted November 17, 2005 btw, i dont suppose you have any tips on getting a decent anti virus do you? my kaspersky is way outdated and i cant find a keygen Quote Link to comment Share on other sites More sharing options...
Steve Posted November 17, 2005 Author Share Posted November 17, 2005 Check your PMs. Quote Link to comment Share on other sites More sharing options...
Nimrod Posted November 17, 2005 Share Posted November 17, 2005 fuck me steve, thats fucking brilliant! got kaspersky and sygate installed.... the bomb!! cheers mate Quote Link to comment Share on other sites More sharing options...
Guest Vekked Posted November 17, 2005 Share Posted November 17, 2005 Logfile of HijackThis v1.99.1Scan saved at 12:33:39 PM, on 17/11/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\SM1BG.EXEC:\Program Files\Lexmark X74-X75\lxbbbmgr.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Lexmark X74-X75\lxbbbmon.exeC:\PROGRA~1\COMMON~1\WinTools\WToolsA.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Common Files\WinTools\WToolsS.exeC:\PROGRA~1\COMMON~1\WinTools\WSup.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\office\Desktop\HijackThis.exeC:\WINDOWS\system32\wuauclt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50193R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50193R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50193R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dllF2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exeO2 - BHO: (no name) - SOFTWARE - (no file)O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLLO2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLLO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dllO2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dllO2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dllO2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLLO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXEO4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [*dbmp3] C:\WINDOWS\Drivers\dbmp3.exeO4 - HKLM\..\Run: [*asdoc] C:\WINDOWS\system32\usmt\asdoc.exeO4 - HKLM\..\Run: [*vbmain] C:\WINDOWS\vbmain.exeO4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exeO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\Run: [internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorunO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/118aa2753588806d2604/...ip/RdxIE601.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://civilgroup.aecon.com/tsweb/msrdp.cabO16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cabO16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cabO16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cabO16 - DPF: {B260B995-22FE-4250-9D89-69F3D2DF2896} (MYPOPINST.MYPOP) - http://info.anycert.com/c.wtz?i=8O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {E6B72B91-7AC8-42A3-9545-A38C12700F6B} (JamagicCtl Class) - http://www.clickteam.com/~webftp/files/Jamagic/jamagic.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeO23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exeO23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) Quote Link to comment Share on other sites More sharing options...
flowerpot Posted November 17, 2005 Share Posted November 17, 2005 Vekked runs the hijack gauntlet.Uhoh newdotnet Quote Link to comment Share on other sites More sharing options...
Nimrod Posted November 17, 2005 Share Posted November 17, 2005 fuck me, thats hella long Quote Link to comment Share on other sites More sharing options...
Steve Posted November 17, 2005 Author Share Posted November 17, 2005 That log is nasty! lol. First off, go to Add or Remove programs and remove anything that looks like this: - My Search BarMySearch AssistantWebHancer If there is anything like that listed (there may not be) then uninstall it, then reboot your PC and carry on to the next stage. Next, download Ad-Aware from here: - http://www.download.com/3000-2144-10045910.html Install it, update it and then run it. It'll scan your PC for spyware and other crap. Have it fix everything that it finds. Next, download and install CCleaner from here, but don't run it yet: - http://www.ccleaner.com/ Finally, reboot your PC and do another scan with HijackThis and post up the new log. Hopefully Ad-Aware will have removed some of the crap, making it quicker and easier to manually remove the rest. Quote Link to comment Share on other sites More sharing options...
Grizzly Posted November 17, 2005 Share Posted November 17, 2005 Logfile of HijackThis v1.99.1Scan saved at 1:09:47 PM, on 11/17/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\mHotkey.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\wt\updater\wcmdmgr.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\Program Files\Common Files\CMEII\CMESys.exeC:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeC:\Program Files\Common Files\GMT\GMT.exeC:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exeC:\Program Files\Messenger\msmsgs.exeC:\Documents and Settings\John\Desktop\hijack this!\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jspR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocxO2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [CHotkey] mHotkey.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launchO4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeO4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXEO4 - HKLM\..\Run: [VTPreset] VTPreset.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeO4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exeO4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exeO8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTMLO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dllO9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cabO16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cabO16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cabO16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} - http://bis.180solutions.com/activexinstall...seInstaller.cabO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cabO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted November 17, 2005 Author Share Posted November 17, 2005 OK, here's the instructions for Grizzly: - Go to Add or Remove Programs and uninstall the following if they exist: - Wild TangentGator If you uninstall anything, then reboot the PC before continuing. Run HijackThis and check off all of the following: - R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jspR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.comR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jspO4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launchO4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exeO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dllO9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dllO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO14 - IERESET.INF: START_PAGE_URL=http://www.emachines.comO16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - http://toolbar.isearch.com/general/drm.cabO16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cabO16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cabO16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} - http://bis.180solutions.com/activexinstall...seInstaller.cabO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab Close ALL other windows and hit Fix Checked. Reboot the PC into Safe Mode by tapping F8 as the computer starts and delete the following bold items. You may have to enable hidden/system files to see them: - C:\WINDOWS\wt C:\Program Files\Common Files\GMT C:\Program Files\Common Files\CMEII All of those are related to spyware. Once you've got rid of them, reboot back into regular Windows. Start Internet Explorer and hit Tools, then Internet Options. Click on the Programs tab and hit the Reset Web Settings button. Click on the Security tab, Internet zone icon and make sure the security level has not been set to low. If it has click the Default Level button. Finally, click on the General tab and re-enter the homepage you want to use. Now you must click Apply then OK. If Norton does not include a proper firewall, then download and install the free version of Sygate here: - http://smb.sygate.com/products/spf_standard.htm If you do that, then after installing it disable the built-in XP firewall: - http://www.duxcw.com/faq/win/xp/firewall.htm That's it! Post back if you have any problems. Quote Link to comment Share on other sites More sharing options...
Guest Vekked Posted November 17, 2005 Share Posted November 17, 2005 Logfile of HijackThis v1.99.1Scan saved at 3:31:03 PM, on 17/11/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\WINDOWS\SM1BG.EXEC:\Program Files\Lexmark X74-X75\lxbbbmgr.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Lexmark X74-X75\lxbbbmon.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Java\jre1.5.0_03\bin\jusched.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Winamp\winamp.exeC:\Program Files\Messenger\msmsgs.exeC:\Documents and Settings\office\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exeO2 - BHO: (no name) - SOFTWARE - (no file)O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dllO2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dllO2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXEO4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [*dbmp3] C:\WINDOWS\Drivers\dbmp3.exeO4 - HKLM\..\Run: [*asdoc] C:\WINDOWS\system32\usmt\asdoc.exeO4 - HKLM\..\Run: [*vbmain] C:\WINDOWS\vbmain.exeO4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\Run: [internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorunO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/118aa2753588806d2604/...ip/RdxIE601.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://civilgroup.aecon.com/tsweb/msrdp.cabO16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cabO16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cabO16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cabO16 - DPF: {B260B995-22FE-4250-9D89-69F3D2DF2896} (MYPOPINST.MYPOP) - http://info.anycert.com/c.wtz?i=8O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO16 - DPF: {E6B72B91-7AC8-42A3-9545-A38C12700F6B} (JamagicCtl Class) - http://www.clickteam.com/~webftp/files/Jamagic/jamagic.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeO23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) Quote Link to comment Share on other sites More sharing options...
stalk Posted November 17, 2005 Share Posted November 17, 2005 lookin good mane. leave it as it is. Quote Link to comment Share on other sites More sharing options...
Guest Vekked Posted November 17, 2005 Share Posted November 17, 2005 lookin good mane. leave it as it is.<{POST_SNAPBACK}> lol, yea, i thought it was lookin pretty good too... Quote Link to comment Share on other sites More sharing options...
$a!n+ Posted November 17, 2005 Share Posted November 17, 2005 lookin good mane. leave it as it is.<{POST_SNAPBACK}> LOL Thats machine is on its last leg. Big Brother is watching. Quote Link to comment Share on other sites More sharing options...
Steve Posted November 17, 2005 Author Share Posted November 17, 2005 lookin good mane. leave it as it is.lol. Copy this post into Notepad cos the instructions are fairly long and you can't have IE or any other browser open when doing most of the fixes. First off, you're gonna need a program called LSPFix. Download it here: - http://www.cexx.org/lspfix.htm Make sure IE and any other browsers are closed and run it. Check the box that says "I know what I'm doing". On the left is a list of files. Look for this file: - newdotnet6_98.dll Click on it and hit the >> button so it moves to the right-hand window. If you don't see that exact file name, it will be similar but it should have "newdotnet" as part of the name. It's vital you only move that particular file over to the right hand window! Once you've done that, click the Finish button. If you get any kind of error at all, DO NOT CONTINUE WITH THE REST OF THESE INSTRUCTIONS. Post back here and let me know what the error says. Now, run HijackThis and check off all of the following: - R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.comO2 - BHO: (no name) - SOFTWARE - (no file)O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dllO2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dllO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [*dbmp3] C:\WINDOWS\Drivers\dbmp3.exeO4 - HKLM\..\Run: [*asdoc] C:\WINDOWS\system32\usmt\asdoc.exeO4 - HKLM\..\Run: [*vbmain] C:\WINDOWS\vbmain.exeO4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/118aa2753588806d2604/...ip/RdxIE601.cabO16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://civilgroup.aecon.com/tsweb/msrdp.cabO16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cabO16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cabO16 - DPF: {A1CCCFF4-0DF9-4FFC-99A3-A37A0F3D8E18} (p3bgset Class) - http://player.bugs.co.kr/install/bugsLoader20040708.cabO16 - DPF: {B260B995-22FE-4250-9D89-69F3D2DF2896} (MYPOPINST.MYPOP) - http://info.anycert.com/c.wtz?i=8O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cabO16 - DPF: {E6B72B91-7AC8-42A3-9545-A38C12700F6B} (JamagicCtl Class) - http://www.clickteam.com/~webftp/files/Jamagic/jamagic.cabO23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing) Close ALL other windows and hit Fix Checked. Reboot your PC into Safe Mode by tapping F8 as it's starting. Start Windows Explorer and hit Tools, then Folder Options. On the View tab, set the following like this: - Show hidden files and folders - CheckedHide extensions for known file types - NOT checkedHide protected operating system files (Recommended) - NOT checked Then hit Apply then OK. Now browse to these files and folders shown in bold and delete them if they exist: - C:\Program Files\NewDotNet C:\Program Files\Common Files\WinTools C:\Program Files\webHancer C:\Program Files\PokerNow C:\WINDOWS\Drivers\dbmp3.exe C:\WINDOWS\system32\usmt\asdoc.exe C:\WINDOWS\vbmain.exe C:\WINDOWS\System32\angelex.exe C:\WINDOWS\zeta.exe Once you're done, run CCleaner that you installed earlier. That'll clean out all your temporary files. When that's complete, reboot back into regular Windows. Start Internet Explorer and hit Tools, then Internet Options. Click on the Programs tab and hit the Reset Web Settings button. Click on the Security tab, Internet zone icon and make sure the security level has not been set to low. If it has click the Default Level button. Finally, click on the General tab and re-enter the homepage you want to use (if it's changed from the one you want). Now you must click Apply then OK. Left click this link to download the latest version of Java: - http://jdl.sun.com/webapps/download/AutoDL?BundleId=10279 Once it's done, go to Add or Remove programs and uninstall your current version, then install this one. Next download the free version of Sygate: - http://smb.sygate.com/products/spf_standard.htm Once installed, disable the built in XP firewall: - http://www.duxcw.com/faq/win/xp/firewall.htm At this point, reboot the machine and grab a new HijackThis log and post it. If all is well, there's two more short steps you need to do just to tidy up and that's job done. Quote Link to comment Share on other sites More sharing options...
Steve Posted November 17, 2005 Author Share Posted November 17, 2005 If you have any problem with your Internet connection after following these instructions, then try the LSPFix steps again. NewDotNet embeds itself deep into your system, but as long as you fix it with LSPFix either before or after running HijackThis, then you'll be OK. Quote Link to comment Share on other sites More sharing options...
Guest Vekked Posted November 18, 2005 Share Posted November 18, 2005 Logfile of HijackThis v1.99.1Scan saved at 9:00:26 PM, on 17/11/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\SM1BG.EXEC:\Program Files\Lexmark X74-X75\lxbbbmgr.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Lexmark X74-X75\lxbbbmon.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\notepad.exeC:\Documents and Settings\office\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.ca/R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exeO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dllO2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exeO4 - HKLM\..\Run: [sM1BG] C:\WINDOWS\SM1BG.EXEO4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quietO4 - HKCU\..\Run: [internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorunO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO12 - Plugin for .m4a: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cabO16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cabO16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cabO16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cabO18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 Right we just need to shift NewDotNet and you're all sorted. You're gonna have to do the LSPFix thing again, so do that first, then run HijackThis and check off just these two items: - F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exeO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s Close all other windows and hit Fix Checked. Now hit Start then Run and type "cmd" without quotes and hit Enter. That opens an old DOS style window. Type the following commands, pressing Enter after each one: - cd c:\program files\newdotnetregsvr32 /u newdotnet6_98.dll In the first command there is a single space after "cd". In the second command there is a space either side of "/u". Once you've done that, exit out of that screen. Reboot your PC into Safe Mode and delete the NewDotNet folder. There should be no reason for it not to delete this time! Reboot back into regular Windows. If you cannot access the Internet, then once again repeat the LSPFix steps, but you should be OK. If all is well, come back and post one final log. Quote Link to comment Share on other sites More sharing options...
texas pete Posted November 18, 2005 Share Posted November 18, 2005 Logfile of HijackThis v1.99.1Scan saved at 02:07:42, on 18/11/2005Platform: Windows ME (Win9x 4.90.3000)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\MSTASK.EXEC:\WINDOWS\SYSTEM\SSDPSRV.EXEC:\WINDOWS\SYSTEM\SPOOLSRV32.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\SYSTEM\IRMON.EXEC:\WINDOWS\SYSTEM\KHOOKER.EXEC:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXEC:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\COMMON FILES\KODAK\KODAK_DR\KODAKCCS.EXEC:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXEC:\WINDOWS\APPLICATION DATA\TWSU.EXEC:\WINDOWS\SYSTEM\MBD.EXEC:\WINDOWS\QBROWSE.EXEC:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXEC:\WINDOWS\SYSTEM\PSTORES.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXEC:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dr-search4u.com/sp.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wow-access.com/search/main.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htmR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankR3 - Default URLSearchHook is missingO2 - BHO: (no name) - {128AF2C0-3220-1E88-5663-393650EEF597} - C:\WINDOWS\SYSTEM\DEOAV.DLLO2 - BHO: (no name) - {305E2F57-8AF1-4C20-B6CB-EA6B0EA87D9C} - C:\WINDOWS\SYSTEM\IMKI.DLLO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -sO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [irMon] irmon.exeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\SYSTEM\khooker.exeO4 - HKLM\..\Run: [QBROWSE] "C:\Progra~1\uniwill\qbrowse\qbrowse.exe"O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [LoadQM] loadqm.exeO4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exeO4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\winldra.exeO4 - HKLM\..\Run: [winpipe] C:\WINDOWS\SYSTEM32\WINPIPE.EXEO4 - HKLM\..\Run: [CustomizeSearch] http://www.wow-access.com/search/main.htmlO4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exeO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exeO4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\SYSTEM\logon.exeO4 - HKLM\..\RunServices: [srv32 spool service] C:\WINDOWS\System\spoolsrv32.exeO4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKCU\..\Run: [Clmd] C:\WINDOWS\Application Data\twsu.exeO4 - HKCU\..\Run: [Yvmtya] C:\WINDOWS\SYSTEM\mbd.exeO4 - Startup: Qbrowse.lnk = C:\WINDOWS\Qbrowse.exeO4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dllO15 - Trusted Zone: *.windupdates.comO15 - Trusted Zone: *.skoobidoo.comO15 - Trusted Zone: *.slotchbar.comO15 - Trusted Zone: *.iframedollars.bizO15 - Trusted Zone: *.windupdates.com (HKLM)O15 - Trusted Zone: *.skoobidoo.com (HKLM)O15 - Trusted Zone: *.slotchbar.com (HKLM)O15 - Trusted Zone: *.iframedollars.biz (HKLM)O15 - Trusted IP range: 213.159.117.202O16 - DPF: {047CE197-F3B0-40EE-B4BD-D8B388AB5EFD} - file://C:\Recycled\675474.exeO18 - Filter: text/html - {9681CE8B-DE68-4BA1-BDD5-5AF0BA17ECD8} - C:\WINDOWS\SYSTEM\IMKI.DLLO18 - Filter: text/plain - {9681CE8B-DE68-4BA1-BDD5-5AF0BA17ECD8} - C:\WINDOWS\SYSTEM\IMKI.DLLO21 - SSODL: SecurityUpdate - {C4B76B43-0F5E-46CF-B4B7-AFF923E214EC} - C:\WINDOWS\SYSTEM\VREDROBJ.DLLO21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file) Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 First off download CWShredder: - http://www.trendmicro.com/ftp/products/onl.../cwshredder.exe Run it and click the Fix button. It'll scan your machine and remove any infected Cool Web Search files. Once it's done, reboot the PC. Download CCleaner from THIS page and install it, but don't run it yet. Press Control/Alt/Delete to bring up Task Manager and end the following processes: - mbd.exetwsu.exeqbrowse.exe Next run HijackThis and check off all of these. Some may no longer be there after running CWShredder, but it's important you don't miss any: - R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://dr-search4u.com/sp.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wow-access.com/search/main.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-access.com/search/main.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-access.com/search/main.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://dr-search4u.com/index.htmR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blankR3 - Default URLSearchHook is missingO2 - BHO: (no name) - {128AF2C0-3220-1E88-5663-393650EEF597} - C:\WINDOWS\SYSTEM\DEOAV.DLLO2 - BHO: (no name) - {305E2F57-8AF1-4C20-B6CB-EA6B0EA87D9C} - C:\WINDOWS\SYSTEM\IMKI.DLLO4 - HKLM\..\Run: [QBROWSE] "C:\Progra~1\uniwill\qbrowse\qbrowse.exeO4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\winldra.exeO4 - HKLM\..\Run: [winpipe] C:\WINDOWS\SYSTEM32\WINPIPE.EXEO4 - HKLM\..\Run: [CustomizeSearch] http://www.wow-access.com/search/main.htmlO4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exeO4 - HKLM\..\RunServices: [logon.exe] C:\WINDOWS\SYSTEM\logon.exeO4 - HKLM\..\RunServices: [srv32 spool service] C:\WINDOWS\System\spoolsrv32.exeO4 - HKCU\..\Run: [Clmd] C:\WINDOWS\Application Data\twsu.exeO4 - HKCU\..\Run: [Yvmtya] C:\WINDOWS\SYSTEM\mbd.exeO4 - Startup: Qbrowse.lnk = C:\WINDOWS\Qbrowse.exeO15 - Trusted Zone: *.windupdates.comO15 - Trusted Zone: *.skoobidoo.comO15 - Trusted Zone: *.slotchbar.comO15 - Trusted Zone: *.iframedollars.bizO15 - Trusted Zone: *.windupdates.com (HKLM)O15 - Trusted Zone: *.skoobidoo.com (HKLM)O15 - Trusted Zone: *.slotchbar.com (HKLM)O15 - Trusted Zone: *.iframedollars.biz (HKLM)O15 - Trusted IP range: 213.159.117.202O16 - DPF: {047CE197-F3B0-40EE-B4BD-D8B388AB5EFD} - file://C:\Recycled\675474.exeO18 - Filter: text/html - {9681CE8B-DE68-4BA1-BDD5-5AF0BA17ECD8} - C:\WINDOWS\SYSTEM\IMKI.DLLO18 - Filter: text/plain - {9681CE8B-DE68-4BA1-BDD5-5AF0BA17ECD8} - C:\WINDOWS\SYSTEM\IMKI.DLLO21 - SSODL: SecurityUpdate - {C4B76B43-0F5E-46CF-B4B7-AFF923E214EC} - C:\WINDOWS\SYSTEM\VREDROBJ.DLLO21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file) Close ALL other windows (IE etc.) and hit Fix Checked. Reboot the PC into Safe Mode by tapping F8 as it's booting. Start Windows Explorer and hit Tools, then Folder Options. On the View tab, set the following like this: - Show hidden files and folders - CheckedHide extensions for known file types - NOT checkedHide protected operating system files (Recommended) - NOT checked Then hit Apply then OK. Search for the following files and folders shown in bold and delete them if found. Make sure you double check, cos if you miss one it can cause some or all of the others to come back: - C:\WINDOWS\TEMP\se.dll C:\WINDOWS\SYSTEM\DEOAV.DLL C:\WINDOWS\SYSTEM\IMKI.DLL C:\WINDOWS\SYSTEM\winldra.exe C:\WINDOWS\SYSTEM32\WINPIPE.EXE C:\WINDOWS\SYSTEM\logon.exe C:\WINDOWS\System\spoolsrv32.exe C:\WINDOWS\Application Data\twsu.exe C:\WINDOWS\SYSTEM\mbd.exe C:\WINDOWS\Qbrowse.exe C:\Recycled\675474.exe C:\WINDOWS\SYSTEM\VREDROBJ.DLL C:\Program Files\uniwill C:\Program Files\P.S.Guard Once you've done that, run CCleaner and let it clean your drive. Then reboot into regular Windows. Start Internet Explorer and hit Tools, then Internet Options. Click on the Programs tab, followed by the Reset Web Settings button (I think there is one in Windows ME, but I might be wrong!). Then click on the Security tab, then the Internet zone icon and see if the security level has been set to low. If it has, hit the Default Level button. Click on the General tab and re-enter the home page you want to use. Now you must click Apply then OK. That should be it, but perhaps post a new log just to be sure as you had about 12 viruses on your system. Download and install Sygate firewall: - http://smb.sygate.com/products/spf_standard.htm It's free. If you want a fairly good free antivirus program then try Avast: - http://www.avast.com If your next log is free of crap, then we need to clean your registry, but I'll tell you how to do that later. Quote Link to comment Share on other sites More sharing options...
Steve Posted November 18, 2005 Author Share Posted November 18, 2005 Vekked. To get rid of NewDotNet, do this: - Run HijackThis and fix this item, but don't reboot: - O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s Repeat the LSPFix instructions I posted earlier. Download this: - http://www.downloads.subratam.org/KillBox.zip Unzip it to your desktop and run it. Click the little yellow folder icon and browse to the NewDotNet folder. Select the first file inside the folder and hit OK. Repeat this for all of the files in that folder, then make sure these options are set: - Select "Delete On Reboot"Select "End Explorer Shell While Killing File"Select "Unregister .dll Before Deleting" if it's not greyed out Click the red X button, then say yes to the prompts that appear. When your PC has rebooted, you should find that the NewDotNet folder is totally empty and can be removed. Post up a new HijackThis log. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.