|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
December 13th, 2004, 03:57 PM
|
|||
|
|||
Hijacked again!!
Please help... I think it's because I downloaded Kazaa, then got rid of it.
Logfile of HijackThis v1.97.7 Scan saved at 4:57:11 PM, on 12/13/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\WINDOWS\system32\gwrxnhky\uvaoicn.exe C:\WINDOWS\system32\pujshaqt\bgwmj.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\WINDOWS\system32\vjwsktm\rldu.exe C:\Program Files\QuickTime\qttask.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\bwgo02fcbc27.exe C:\WINDOWS\system32\RUNDLL32.exe C:\WINDOWS\TEMP\ICD5.tmp\svcmm32.exe c:\Program Files\Bcpc\bcpc.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {7CD20E91-1F31-41da-8379-479EA31DF969} - c:\Program Files\XML\XML.dll O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [uvaoicn] C:\WINDOWS\system32\gwrxnhky\uvaoicn.exe O4 - HKLM\..\Run: [bgwmj] C:\WINDOWS\system32\pujshaqt\bgwmj.exe O4 - HKLM\..\Run: [rpju] C:\WINDOWS\system32\nrxdhj\rpju.exe O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [rldu] C:\WINDOWS\system32\vjwsktm\rldu.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\system32\stcloader.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdtl.exe O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD5.tmp\svcmm32.exe" /startup O4 - HKLM\..\Run: [BCPC] "c:\Program Files\Bcpc\bcpc.exe" O4 - HKLM\..\Run: [Breg] "c:\Program Files\Common Files\Java\bcre.exe" O4 - HKLM\..\Run: [Xcpy1] "c:\Program Files\Common Files\Java\Xcpy1.exe" O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab 
|
|
#3
December 16th, 2004, 04:29 PM
|
|||
|
|||
|
Please Help!!! Hijack This! Log Enclosed
Can anyone PLEASE help me????? My computer has been going nuts!!
Logfile of HijackThis v1.97.7 Scan saved at 5:27:32 PM, on 12/16/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\WINDOWS\system32\vjwsktm\rldu.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\TEMP\ICD5.tmp\svcmm32.exe C:\Program Files\Bcpc\bcpc.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\WINDOWS\system32\lplef\ihfe.exe C:\WINDOWS\system32\lsqhed\onfi.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [uvaoicn] C:\WINDOWS\system32\gwrxnhky\uvaoicn.exe O4 - HKLM\..\Run: [bgwmj] C:\WINDOWS\system32\pujshaqt\bgwmj.exe O4 - HKLM\..\Run: [rpju] C:\WINDOWS\system32\nrxdhj\rpju.exe O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [rldu] C:\WINDOWS\system32\vjwsktm\rldu.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\system32\stcloader.exe O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdtl.exe O4 - HKLM\..\Run: [USB controller] "C:\WINDOWS\TEMP\ICD5.tmp\svcmm32.exe" /startup O4 - HKLM\..\Run: [BCPC] "C:\Program Files\Bcpc\bcpc.exe" O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bcre.exe" O4 - HKLM\..\Run: [Xcpy1] "C:\Program Files\Common Files\Java\Xcpy1.exe" O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun O4 - HKLM\..\Run: [ihfe] C:\WINDOWS\system32\lplef\ihfe.exe O4 - HKLM\..\Run: [onfi] C:\WINDOWS\system32\lsqhed\onfi.exe O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvtry32.exe O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install007.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
|
|
#4
December 20th, 2004, 02:19 PM
|
|||
|
|||
|
Hi grymmgrl,
Your threads have been merged. Please do not create multiple threads for the same problem! Thanks, Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#5
December 20th, 2004, 02:21 PM
|
|||
|
|||
|
Please update HijackThis, you are using an outdated version. The new version does a better job of detecting malware:
Open HijackThis, click Config > Misc Tools > Check for Update online Or download a copy of version 1.99 at: http://www.majorgeeks.com/download3155.html If you downloaded the newer version, please delete the older version you are using now. Post a fresh log with this new version. Tom
|
|
#6
December 21st, 2004, 09:38 PM
|
|||
|
|||
|
Log enclosed
 Sorry about the multiple posts!!Logfile of HijackThis v1.99.0 Scan saved at 10:37:39 PM, on 12/21/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\WINDOWS\system32\vjwsktm\rldu.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\lsqhed\onfi.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\lplef\ihfe.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\explorer.exe C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [uvaoicn] C:\WINDOWS\system32\gwrxnhky\uvaoicn.exe O4 - HKLM\..\Run: [bgwmj] C:\WINDOWS\system32\pujshaqt\bgwmj.exe O4 - HKLM\..\Run: [rpju] C:\WINDOWS\system32\nrxdhj\rpju.exe O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [rldu] C:\WINDOWS\system32\vjwsktm\rldu.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ihfe] C:\WINDOWS\system32\lplef\ihfe.exe O4 - HKLM\..\Run: [onfi] C:\WINDOWS\system32\lsqhed\onfi.exe O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
|
|
#7
December 22nd, 2004, 12:58 PM
|
|||
|
|||
|
Hi grymmgrl,
No problem on the extra posts, sometimes it just sets you back further for getting help because it looks like someone is already helping you  If you have any questions before starting the fix, please don't hesitate to ask! You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis. Please move or unzip HijackThis to a permanent folder such as C:\HJT It is important that it is in it's own folder as it will make important backups of what we will fix. Please go to Start > My Computer > double-click your C:\ drive > click: File > New > Folder > name it HJT and put HijackThis into that folder. Next... Boot into Safe Mode. Reboot your computer, start tapping F8 when your machine first starts booting, select Safe Mode. Please go to Start > Control Panel > Add/Remove programs and remove: WebSpecials (if listed) Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [uvaoicn] C:\WINDOWS\system32\gwrxnhky\uvaoicn.exe O4 - HKLM\..\Run: [bgwmj] C:\WINDOWS\system32\pujshaqt\bgwmj.exe O4 - HKLM\..\Run: [rpju] C:\WINDOWS\system32\nrxdhj\rpju.exe O4 - HKLM\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O4 - HKLM\..\Run: [rldu] C:\WINDOWS\system32\vjwsktm\rldu.exe O4 - HKLM\..\Run: [ihfe] C:\WINDOWS\system32\lplef\ihfe.exe O4 - HKLM\..\Run: [onfi] C:\WINDOWS\system32\lsqhed\onfi.exe O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing) These are resource hogs that can be fixed also: O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck hide extensions for known file types. Uncheck the Hide Protected Operating System Files option. Click Yes to confirm. Click OK. Search for and delete the following file: C:\WINDOWS\zeta.exe Search for and delete the following folders: C:\Program Files\WebSpecials < delete the entire WebSpecials folder C:\WINDOWS\system32\gwrxnhky < delete the entire gwrxnhky folder C:\WINDOWS\system32\pujshaqt < delete the entire pujshaqt folder C:\WINDOWS\system32\nrxdhj < delete the entire nrxdhj folder C:\WINDOWS\system32\vjwsktm < delete the entire vjwsktm folder C:\WINDOWS\system32\lplef < delete the entire lplef folder C:\WINDOWS\system32\lsqhed < delete the entire lsqhed folder Next.... Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following: Temporary Internet Files Recycle Bin Temporary Files Then click OK. Reboot normally. Next... I would like you to perform an onlne virus scan at Trend Micro http://housecall.trendmicro.com/ Select all of your drives for scanning. Please check "Auto clean" before scanning. If you can, copy and paste the report logs from the scan into your next post along with a fresh HijackThis log.. Tom
|
|
#8
December 24th, 2004, 06:26 PM
|
|||
|
|||
|
Thank you Tom!!!!!!
Here is the result of the virus scan that you suggested:
TROJ QDOWN.L TROJ AGENT.BT TROJ QDOWN.L TROJ AGENT.BT TROJ VIVIA.C TROJ SMALL.FY TROJ RVP.D And here is the new HiJack This log: Logfile of HijackThis v1.99.0 Scan saved at 7:22:51 PM, on 12/24/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe It seems to be running better already. The only weird thing is, when I look at my Recycle Bin icon on my desktop it looks like there is stuff in there, when I go to empty it asks me if I want to delete all of the items & I say yes, but it still looks as if there are things in there??? Weird...
|
|
#9
December 27th, 2004, 09:52 PM
|
|||
|
|||
|
Quote:
That is strange... well, let's keep going here! Please download The Hoster http://members.aol.com/toadbee/hoster.zip Click on the link above > save it to a new folder on your desktop > open the new folder and unzip the file hoster.zip > run Hoster.exe > if your host file is marked as "read only", click the button "Make Hosts Writable" > click the "Restore Original Hosts" button > press OK to restore the original Hosts file > click OK > close The Hoster. Please note: if you use a custom hosts file to block malware sites (such as MVPS Hosts file), this program will remove those entries. You will need to rerun the program that created the entries. Please post a fresh HijackThis log. Tom
|
|
#10
December 28th, 2004, 04:37 PM
|
|||
|
|||
|
New Log after host.exe
Here it is... is this ok?
Logfile of HijackThis v1.99.0 Scan saved at 5:36:16 PM, on 12/28/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\wscntfy.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
|
|
#11
December 30th, 2004, 12:10 AM
|
|||
|
|||
|
grymmgrl,
Please download Hosts File Reader: http://www.downloads.subratam.org/HostsFileReader.zip Save it to a convenient location, such as a new folder called Hosts File Reader on your desktop. Unzip the file and run HostsFileReader.exe > click the button labeled Scan for Hosts > select each of the host files found and click the Delete button > click the Reset Default button > click the Exit button. Please post a fresh HijackThis log. Tom
|
|
#12
December 31st, 2004, 03:03 PM
|
|||
|
|||
|
I did as you instructed... Also, for some reason my computer is now shutting off & restarting at random - while I'm in the middle of doing things. It's maddening - I'm about to toss it through the window!!!
Logfile of HijackThis v1.99.0 Scan saved at 4:02:48 PM, on 12/31/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Vshwin32.exe C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe C:\Program Files\Microsoft Hardware\Keyboard\type32.exe C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe C:\Program Files\Lexmark X74-X75\lxbbbmon.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\tapfaxui.exe C:\WINDOWS\system32\telsubs.exe C:\WINDOWS\TEMP\AutoUpdate0\auto_update_install.exe C:\WINDOWS\TEMP\AutoUpdate1\auto_update_install.exe C:\Program Files\CxtPls\CxtPls.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/ O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O1 - Hosts: 69.20.16.183 ieautosearch O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\system32\Cxtpls_loader.exe" /HideUninstall /HideDir /PC=CP.BIG /ShowLegalNote=nonbranded O4 - HKLM\..\Run: [t77i3tP] telsubs.exe O4 - HKCU\..\Run: [cwosRjj3V] tapfaxui.exe O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: McShield - Network Associates, Inc. - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
|
|
# |
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
