|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
November 30th, 2004, 08:17 PM
|
|||
|
|||
|
search2web hijack problem
I ran hijack this and this is the log file. Can anyone help me on this. Also, my computer is running slow at times on the internet. I ran a virus scan and no viruses showed up, can anyone help on that. Thanks, Bob
Logfile of HijackThis v1.98.2 Scan saved at 7:57:07 PM, on 11/30/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\drivers\KodakCCS.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ScsiAccess.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\system32\dla\tfswctrl.exe C:\WINNT\system32\P2P Networking\P2P Networking.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\Program Files\Internet Explorer\iexplore.exe c:\progra~1\intern~1\iexplore.exe C:\Documents and Settings\Bob Melosi\Application Data\baew.exe C:\WINNT\system32\l?***.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Spyware Doctor\swdoctor.exe C:\PROGRA~1\WINZIP\wzqkpick.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Bob Melosi\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zehoqpjojctjmztyjrckz.com/g_ySajr32mZxerqKhEKrbYbMdVj/tvXrh04e18hNK5zNE44wvdu8Cl8Jz1XJLuXd.jpg R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1AE0C37D-0E8F-1E9D-7B9D-548F12FEF130} - C:\DOCUME~1\BOBMEL~1\APPLIC~1\SHIMKN~1\mix safe.exe O2 - BHO: (no name) - {4FD3330E-E111-2898-8004-60550C817E13} - C:\WINNT\system32\tommh.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe O4 - HKLM\..\Run: [2IkQQ2Ssy] C:\documents and settings\bob melosi\local settings\temp\2IkQQ2Ssy.exe O4 - HKLM\..\Run: [Move Setup Free Anti] C:\Documents and Settings\All Users\Application Data\timeflapmovesetup\SoftEggs.exe O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ping mapi] C:\DOCUME~1\BOBMEL~1\APPLIC~1\CHINRO~1\Save Face Cast.exe O4 - HKCU\..\Run: [Asel] C:\Documents and Settings\Bob Melosi\Application Data\baew.exe O4 - HKCU\..\Run: [Zycfvck] C:\WINNT\system32\l?***.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
|
|
#2
December 4th, 2004, 03:16 PM
|
|||
|
|||
|
Hi bmelosi,
If you still need help, please post a fresh HijackThis log. Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#3
December 5th, 2004, 12:52 AM
|
|||
|
|||
|
I still need help, thanks
Logfile of HijackThis v1.98.2
Scan saved at 12:47:16 AM, on 12/5/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\drivers\KodakCCS.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ScsiAccess.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Winamp\Winampa.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINNT\system32\dla\tfswctrl.exe C:\Program Files\QuickTime\qttask.exe C:\WINNT\system32\P2P Networking\P2P Networking.exe C:\Program Files\Messenger Plus! 3\MsgPlus.exe C:\Program Files\AIM\aim.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Ares\Ares.exe c:\progra~1\intern~1\iexplore.exe C:\WINNT\system32\l?***.exe C:\Documents and Settings\Bob Melosi\Application Data\baew.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINNT\system32\wuauclt.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Bob Melosi\Desktop\hijackthis\HijackThis.exe C:\Documents and Settings\All Users\Application Data\timeflapmovesetup\chic error.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.okcdwsbefmowpjvilbcs.com/g_ySajr32mZxerqKhEKrbYbMdVj/tvXrh04e18hNK5zrBAq2plPiil8Jz1XJLuXd.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1AE0C37D-0E8F-1E9D-7B9D-548F12FEF130} - C:\DOCUME~1\BOBMEL~1\APPLIC~1\SHIMKN~1\mix safe.exe O2 - BHO: (no name) - {4FD3330E-E111-2898-8004-60550C817E13} - C:\WINNT\system32\tommh.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe O4 - HKLM\..\Run: [2IkQQ2Ssy] C:\documents and settings\bob melosi\local settings\temp\2IkQQ2Ssy.exe O4 - HKLM\..\Run: [Move Setup Free Anti] C:\Documents and Settings\All Users\Application Data\timeflapmovesetup\SoftEggs.exe O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ping mapi] C:\DOCUME~1\BOBMEL~1\APPLIC~1\CHINRO~1\Save Face Cast.exe O4 - HKCU\..\Run: [Zycfvck] C:\WINNT\system32\l?***.exe O4 - HKCU\..\Run: [Asel] C:\Documents and Settings\Bob Melosi\Application Data\baew.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab Here is my new log. Thanks, Bob
|
|
#4
December 6th, 2004, 09:33 AM
|
|||
|
|||
|
Bob,
You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis. If you have any questions before starting the fix, please don't hesitate to ask! P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns. Go to Start > Control Panel > Add/Remove programs Uninstall P2P networking Next... You have Messenger Plus installed. It is an add-on program not written by Microsoft. It contain's the LOP infection (it's what you are infected with now) and it's best to uninstall the program. If you feel you need this program, remove it and reinstall it without installing the "Sponsor" feature. Please go to Start > Control Panel > Add/Remove Programs > remove Plus If you remove Messenger Plus, please remove the entries below marked in RED along with the others. Next... Download Ad-Aware SE Personal Edition version 1.05 from: http://www.lavasoft.de/support/download/ Run Adaware, click the "Check for Updates now" link. Install the latest reference file Just update it, do not scan with it yet! Next... Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.okcdwsbefmowpjvilbcs.com/g_ySajr32mZxerqKhEKrbYbMdVj/tvXrh04e18hNK5zrBAq2plPiil8Jz1XJLuXd.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file) O2 - BHO: (no name) - {1AE0C37D-0E8F-1E9D-7B9D-548F12FEF130} - C:\DOCUME~1\BOBMEL~1\APPLIC~1\SHIMKN~1\mix safe.exe O2 - BHO: (no name) - {4FD3330E-E111-2898-8004-60550C817E13} - C:\WINNT\system32\tommh.dll O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file) O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe O4 - HKLM\..\Run: [AOL Messenger] aolmsngr.exe O4 - HKLM\..\Run: [2IkQQ2Ssy] C:\documents and settings\bob melosi\local settings\temp\2IkQQ2Ssy.exe O4 - HKLM\..\Run: [Move Setup Free Anti] C:\Documents and Settings\All Users\Application Data\timeflapmovesetup\SoftEggs.exe O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ping mapi] C:\DOCUME~1\BOBMEL~1\APPLIC~1\CHINRO~1\Save Face Cast.exe O4 - HKCU\..\Run: [Zycfvck] C:\WINNT\system32\l?***.exe O4 - HKCU\..\Run: [Asel] C:\Documents and Settings\Bob Melosi\Application Data\baew.exe REDO4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart These are resource hogs that can be fixed also: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE Next... Make sure your computer is configured to show all files and folders. Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders. Uncheck hide extensions for known file types. Uncheck the Hide Protected Operating System Files option. Click Yes to confirm. Click OK. Search for and delete the following files: C:\WINNT\system32\tommh.dll aolmsngr.exe C:\documents and settings\bob melosi\local settings\temp\2IkQQ2Ssy.exe C:\Documents and Settings\Bob Melosi\Application Data\baew.exe Search for and delete the following folders: C:\DOCUMENTS AND SETTINGS\BOBMEL~1\APPLICATION DATA\SHIMKN < delete the entire SHIMKN... folder C:\Program Files\Common files\updmgr < delete the entire updmgr folder C:\Documents and Settings\All Users\Application Data\timeflapmovesetup < delete the entire timeflapmovesetup folder C:\DOCUMENTS AND SETTINGS\BOBMEL~1\APPLICATION DATA\CHINRO... < delete the entire CHINRO... folder REDO4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3 < delete the entire Messenger Plus! 3 folder Next.... Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following: Temporary Internet Files Recycle Bin Temporary Files Then click OK. Next... Perform a "Full system scan" with Adaware. Allow it to remove anything it finds. Reboot normally. I see you are using AVG6. The product end of life for version 6 is December 31. I suggest upgrading to version 7: http://free.grisoft.com/freeweb.php. AVG7 will automatically remove the previous installation. After you install it, make sure you update it right away and perform a full system scan. Please post a fresh HijackThis log. Tom
|
|
#5
December 7th, 2004, 07:01 AM
|
|||
|
|||
|
Logfile of HijackThis v1.98.2
Scan saved at 7:03:27 AM, on 12/7/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Here is my new log. Thanks, it seems to be working fine now. I wasn't able to run cleanmgr, it locked up my system. Thanks again, Bob Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\drivers\KodakCCS.exe C:\WINNT\System32\NMSSvc.exe C:\WINNT\system32\nvsvc32.exe C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ScsiAccess.EXE C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Winamp\Winampa.exe C:\WINNT\system32\dla\tfswctrl.exe C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\WINNT\system32\cleanmgr.exe C:\Program Files\Ares\Ares.exe C:\Documents and Settings\Bob Melosi\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
|
|
#6
December 7th, 2004, 01:02 PM
|
|||
|
|||
|
Bob,
It seems cleanmgr is running in the background: C:\WINNT\system32\cleanmgr.exe Please reboot your computer. This is an important step, let's try to do it manually: Launch IE > go to Tools > Internet Options > click Delete Files > place a checkmark next to "delete all offline content" > click OK. Go to Start > Run > enter %temp% in the box > hit Enter > delete all files and folders in this Temp folder. Some will not delete, this is normal. Open My Computer > navigate to C:\Documents and Settings\Bob Melosi\Local Settings\Temp > delete all files and folders in this Temp folder. Let me know how it goes. Tom
|
|
#8
December 9th, 2004, 02:47 PM
|
|||
|
|||
|
Great to hear your computer is running better!
I don't see a firewall running in your log. ZoneAlarm has a free firewall: http://www.zonelabs.com/store/conte...reeDownload.jsp Because you were infected, backups of the malware may be in System Restore. 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 this will delete all existing restore points. Click Yes to do this. 6 Click OK. Reboot 1 Right-click My Computer, and then click Properties. 2 Click the System Restore tab. 3 Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box. 4 Click Apply 5 Click OK. Create a new Restore Point: Start > All Programs > Accessories > System Tools > System Restore > tick Create a Restore Point > Next > enter a name for the Restore Point Creation (Today, Removed Spyware, etc.) > Create > Close. The date and time will automatically be added. Then.... These are tools that will help keep you from getting infected again: SpywareBlaster prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially dangerous sites in InternetExplorer. http://www.javacoolsoftware.com/spywareblaster.html SpywareGuard provides a real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method. http://www.wilderssecurity.net/spywareguard.html IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer http://mvps.org/winhelp2002/hosts.htm All are very small free programs. Occasionally check for updates. Check for updates for Windows and Internet Explorer every week or so. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available" http://windowsupdate.microsoft.com/ Please take a minute to read: So how did I get infected in the first place? http://forums.net-integration.net/i...?showtopic=3051 Tom
|
|
| Viewing: Dev Shed Forums > System Administration > Antivirus Protection > search2web hijack problem |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
