|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Be the architects of evolution and help create the mobile internet future. It’s your move---enter to win here! |
|
#1
December 8th, 2004, 11:42 PM
|
|||
|
|||
|
"Hi Jack"
In the "Wild West,"this is what highwaymen would say to get your attention just before they robbed you. Hence the term, hijack.
Speaking of which, I believe I have this kind of unwanted company. Should any one reading this find in their heart a willingness to assist a mortal and barely cpu-educated member of the "Gun at Your Back" club, the 'highest source of being' should bestow upon you happiness, to a copious degree.  Here is my "hijack this" log  Logfile of HijackThis v1.97.7 Scan saved at 8:51:12 PM, on 12/8/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\Program Files\Speed Disk\nopdb.exe C:\WINNT\system32\stisvc.exe C:\PROGRA~1\Toolbar\TBPSSvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\Program Files\Common Files\WinTools\WToolsS.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\WINNT\system32\prapar.exe C:\WINNT\system32\mobsync.exe C:\WINNT\system32\pctspk.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\PROGRA~1\Toolbar\TBPS.exe C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe C:\PROGRA~1\Toolbar\PIB.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX01.346\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file) O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing) O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk10069US O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Login (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM) O9 - Extra button: Create Mobile Favorite (HKLM) O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.8.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://mirror.worldwinner.com/games/v42/jigsaw/jigsaw.cab O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.238/ecwplugins/ncs.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.9992592593 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
|
|
#2
December 10th, 2004, 05:36 PM
|
|||
|
|||
|
Quote:
Hi -blu-, Thanks for the definition, pretty good First let's do some cleaning up: Download Ad-Aware SE Personal Edition version 1.05 from: http://www.lavasoft.de/support/download/ Run Adaware, click the "Check for Updates now" link. Install the latest reference file Perform a "Full system scan" with Adaware. Allow it to remove anything it finds. Then... Download, install and UPDATE Spybot Search and Destroy 1.3. Scan and fix all items checked in RED. http://www.safer-networking.org/en/download/index.html Next... Please update HijackThis, you are using an outdated version: Open HijackThis, click Config > Misc Tools > Check for Update online Or download a copy of version 1.98.2 at: http://www.majorgeeks.com/download3155.html Please delete the older version you are using now. Post a fresh log with this new version. Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#3
December 12th, 2004, 04:12 PM
|
|||
|
|||
|
The following "hijackthis" log is my latest result. I have been running ad aware and spybot periodically to minimize intruders. I actually had a clean ad aware scan earlier today, but spybot found 1 file that comes back called (I cringe even now relating this) Haxdoor-H...We need to build Hax'trap'door-H...that's what I would do...heheh
Sorry about posting the new thread. I'm ready when you are. Logfile of HijackThis v1.98.2 Scan saved at 1:45:00 PM, on 12/12/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\Program Files\Speed Disk\nopdb.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\pctspk.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\ctfmon.exe C:\WINNT\system32\vruvur.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX57.8446\HijackThis.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://mirror.worldwinner.com/games/v42/jigsaw/jigsaw.cab O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.238/ecwplugins/ncs.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
|
|
#4
December 13th, 2004, 01:41 AM
|
|||
|
|||
|
Hi blu,
You seem to have HijackThis running from two places at the same time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX57.8446\HijackThis.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe Please use only version 1.98.2 and make sure it is running from a permanent folder such as C:\HJT or something similar. You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis. If you have any questions before starting the fix, please don't hesitate to ask! Please go to Start > Control Panel > Add/Remove programs and remove: VBouncer or Virtual Bouncer (if listed) Next... Please download and run LSPFix from here: http://cexx.org/LSPFix.exe On the opening screen, click "I know what I'm doing".. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish. Next... You have a coolwebsearch infection, among other things. Please download CWShredder from Here Save it to a convenient location such as your Desktop Just download it for now, you will use it later. Next... Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Run CWShredder and select "Fix" (do not just Scan). It will automatically remove the infections. Next... Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defaults/sp/*http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defaults/*http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.ramgo.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe Unless you have the Spybot Search & Destroy option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Next... Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck hide extensions for known file types. Uncheck the Hide Protected Operating System Files option. Click Yes to confirm. Click OK. Search for and delete the following folders: C:\PROGRA~1\VBouncer < delete the entire VBouncer folder Next.... Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following: Temporary Internet Files Recycle Bin Temporary Files Then click OK. Reboot normally. Please post a fresh HijackThis log. Tom
|
|
#5
December 13th, 2004, 03:32 AM
|
|||
|
|||
|
How do I save Hijack this to a permanent file? It arrives in Archives as an exe file, when I click on that it gives me a window...HijackThis~v1.98.2...with 2 categories,Scan and fix stuff or Other stuff......I've looked hard for "save as".....I want to get this right before moving ahead.........good thing there's air or my head would collapse.....jeez, I hope I don't set the record for "least ept."
|
|
#6
December 13th, 2004, 05:13 PM
|
|||
|
|||
|
Please go to Start > My Computer > double-click your C:\ drive > click: File > New > Folder > name it HJT and put HijackThis into that folder.
Let me know if you need a more detailed example. Tom
|
|
#7
December 13th, 2004, 10:59 PM
|
|||
|
|||
|
Quote:
OK Tom, I did my best to follow your instructions...haven't seen a pop-up so far...that's good....here is the fresh hjt log: Logfile of HijackThis v1.98.2 Scan saved at 9:06:22 PM, on 12/13/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\Program Files\Speed Disk\nopdb.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\pctspk.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\WINNT\system32\vruvur.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\ctfmon.exe C:\hij this\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\inetrepl.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Jigsaw Genius Control) - http://mirror.worldwinner.com/games/v42/jigsaw/jigsaw.cab O16 - DPF: {62969CF2-0F7A-433B-A221-FD8818C06C2F} (Blockwerx Control) - http://mirror.worldwinner.com/games/v47/blockwerx/blockwerx.cab O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.238/ecwplugins/ncs.cab O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://mirror.worldwinner.com/games/v45/wordmojo/wordmojo.cab O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup141.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab ok, I'll be milling about if you need me...-blu-
|
|
#8
December 14th, 2004, 03:07 PM
|
|||
|
|||
|
You did great! Just a couple of things to do:
Please go to: http://www.kaspersky.com/scanforvirus Using their single file scanning tool, browse to the file below and submit it for antivirus scanning. C:\WINNT\system32\vruvur.exe Also, please open Internet Explorer - in the menu at the top of the page go to Help > About and see what version of IE you are using. Please post you results. Tom
|
|
#9
December 14th, 2004, 07:03 PM
|
|||
|
|||
|
Quote:
Tom, I tried to find that file, C:\WINNT\system32\vruvur.exe by following it's path, not there. Then I pasted it in "search" no results. Is it possible I don't have the file or am I doing something wrong? -blu-
|
|
#10
December 14th, 2004, 08:04 PM
|
|||
|
|||
|
It was in your previous log:
Logfile of HijackThis v1.98.2 Scan saved at 9:06:22 PM, on 12/13/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\CTsvcCDA.EXE C:\WINNT\System32\svchost.exe C:\WINNT\system32\hidserv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Norton Utilities\NPROTECT.EXE C:\WINNT\system32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\tcpsvcs.exe C:\Program Files\Speed Disk\nopdb.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\pctspk.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Microsoft Hardware\Mouse\point32.exe C:\WINNT\system32\vruvur.exe C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINNT\system32\ctfmon.exe C:\hij this\HijackThis.exe If it's a virus or other malware, it could be changing names on us! I would like you to perform an onlne virus scan from this site: Trend Micro Housecall - Select all of your drives to be scanned. Please check "Auto clean" before scanning. http://housecall.trendmicro.com/ If you can, copy and paste the report logs from the scans into your next post along with a fresh HijackThis log.. Tom
|
|
#11
December 15th, 2004, 02:40 AM
|
|||
|
|||
|
Quote:
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
