Jump to content

[Solved]Please Help Me!


fatac

Recommended Posts

Logfile of HijackThis v1.98.2

Scan saved at 2:32:19 PM, on 10/25/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

F3 - REG:win.ini: load=?????? ??????O???

F3 - REG:win.ini: run=?????? ??????O???

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\clayton darling\Application Data\Mozilla\Profiles\default\sczp33vs.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\clayton darling\Application Data\Mozilla\Profiles\default\sczp33vs.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll

O2 - BHO: (no name) - {52564981-DCFB-45AA-CCD9-CE694507567E} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Configuration Default] WUXAT.EXE

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [My Search Bar Eq] "C:\Program Files\MySearch\bar\s4bareq.exe" /r

O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe

O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Tray] C:\PROGRA~1\KAZAAL~1\My Shared Folder\KazaaSkinz.exe

O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.Exe

O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.3.5.0\HbInst.exe /Upgrade

O4 - HKLM\..\Run: [AmazingTens] "C:\Program Files\AmazingTens\AmazingTens.exe" /H

O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s

O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "clayton darling"

O4 - HKLM\..\RunServicesOnce: [installNAIProduct] "C:\bundle\McAfee\VSC\vsStart.EXE" /RUNKEY

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0

O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - HKCU\..\Run: [Evidence Washer] C:\Program Files\Evidence Washer\EvidenceWasher.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [420station Joint screen saver] "C:\Program Files\420station Joint\Screen Saver\TaskTray.exe"

O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezPopStub.exe /UninstPOP2 C:\Program Files\Web Offer

O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe

O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: Picture Package Menu.lnk = ?

O4 - Global Startup: Picture Package VCD Maker.lnk = ?

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O15 - Trusted Zone: http://www.gsn.com

O15 - Trusted Zone: gpi.event.matrix.com

O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} - http://ftp.coupons.com/CouponBar/CouponBar.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

Link to comment
Share on other sites

fatac, to get this started, you're going to uninstall a few problem programs. Go to add/remove programs in the Control Panel and uninstall the following:

 

NewDotNet

Web_Rebates

WebScan

P2P Networking

MySearch, My Way, My Bar <---any of these names

MoviePlace

Hotbar

AmazingTens

Web Offer

All the Kazaa entries

 

I see that you have Spybot, which is good, hopefully you also have Adaware SE. If not, then download it, but don't run it yet. Tweak the settings to do a deep scan like this:

 

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scan Now" button.

Put a dot next to: Use custom scanning options, then click Customize

Under Drives, Folders and Files, select "Scan within Archives".

Click "Click here to select Drives + folders" and select your installed hard drives.

 

Under Memory & Registry, select all options.

Click the "Advanced" button.

Under "Log-file detail level", select all options.

Click the "Tweaks" button.

 

Under "Scanning Engine", select the following:

"Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:

"Let Windows remove files in use after reboot."

Click on 'Proceed' to save these Preferences.

 

Run the scan and remove all that it finds.

Run Spybot and remove all that it finds in Red

 

Run the online scanner here: Bit Defender Online Scan

 

Then rescan with HijackThis and post a fresh scan log. :)Y

Link to comment
Share on other sites

WELL THE FIRST ISSUE I HAVE IS THAT

 

NewDotNet

P2P Networking

MySearch, My Way, My Bar <---any of these names

MoviePlace

Hotbar

AmazingTens

All the Kazaa entries

DOES NOT SHOW UP IN MY ADD/REMOVE LIST.AND IF I DELETE KAZAA ENTRIES WILL I LOSE KAZAA LITE ++?

Link to comment
Share on other sites

Since we're gonna need to extract NewDotNet manually, download and run the LSP Fix utility here: http://cexx.org/lspfix.htm be sure to put it in it's own folder.

 

Open the program and you will see a right and a left window. If there are entries in the Right hand window, then simply press the Finish Button.

 

If there is nothing on the right, then look on the left for NewDotNet.dll.

If found, put a check next to "I know what I'm doing", then highlight each instance of the NewDotNet entry and using the >>>> key, move them one by one to the Right hand side. (Only move these) then click the Finish Button.

Link to comment
Share on other sites

here is my new log.

 

Logfile of HijackThis v1.98.2

Scan saved at 1:31:04 AM, on 10/26/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\hijack this\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\clayton darling\Application Data\Mozilla\Profiles\default\sczp33vs.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\clayton darling\Application Data\Mozilla\Profiles\default\sczp33vs.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll

O2 - BHO: (no name) - {52564981-DCFB-45AA-CCD9-CE694507567E} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "clayton darling"

O4 - HKLM\..\RunServicesOnce: [installNAIProduct] "C:\bundle\McAfee\VSC\vsStart.EXE" /RUNKEY

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.gsn.com

O15 - Trusted Zone: gpi.event.matrix.com

O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} - http://ftp.coupons.com/CouponBar/CouponBar.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

Link to comment
Share on other sites

The scans did you a world of good, nice job! Looks like it ran NewDotNet out of town as well. :P

 

Rescan with hijackthis, put a check next to these items, close all browser/explorer windows, press 'Fix Checked', then reboot into Safe Mode:

(As the computer is rebooting, tap on the F8 key repeatedly. This will bring up a Boot Menu with several options. Use the arrow keys on your keyboard to highlight Safe Mode and then hit the enter key.)

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll

O2 - BHO: (no name) - {52564981-DCFB-45AA-CCD9-CE694507567E} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O15 - Trusted Zone: http://www.gsn.com

O15 - Trusted Zone: gpi.event.matrix.com

O16 - DPF: {1D8A63E5-F219-11D4-9BD1-000039051213} - http://ftp.coupons.com/CouponBar/CouponBar.cab

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tri...Transporter.cab?

 

Upon reboot into Safe Mode, make sure that Show hidden files and folders is enabled, then find and delete the following highlighted files and folders (some may have been previously removed):

 

C:\WINDOWS\DOWNLOADED PROGRAM FILES\instafin.dll

 

C:\PROGRAM FILES\NEWDOTNET

C:\Program Files\Web_Rebates

C:\WINDOWS\System32\P2P Networking

C:\Program Files\MySearch

C:\Program Files\MoviePlace

C:\Program Files\Hotbar

C:\Program Files\AmazingTens

C:\Program Files\Web Offer

 

The following Folder Contents, but not the Folder itself, need to be deleted while in safe mode. Open each of these Folders, then click Edit (at the top), choose Select All, then Delete the highlighted entries.

C:\Windows\Temp\

C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\

C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\

C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Then empty the Recycle Bin.

 

Reboot normally, recan with HijackThis and post a fresh scan log. :)Y

Link to comment
Share on other sites

Logfile of HijackThis v1.98.2

Scan saved at 2:42:19 PM, on 10/27/2004

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Executive Software\DiskeeperLite\DKService.exe

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\hijack this\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Documents and Settings\clayton darling\Application Data\Mozilla\Profiles\default\sczp33vs.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\clayton darling\Application Data\Mozilla\Profiles\default\sczp33vs.slt\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "clayton darling"

O4 - HKLM\..\RunServicesOnce: [installNAIProduct] "C:\bundle\McAfee\VSC\vsStart.EXE" /RUNKEY

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - (no file)

O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

Link to comment
Share on other sites

Don't worry about running HJT. Be sure to keep your other tools updated and run them daily: adaware & Spybot. If you find yourself Hijacked or troubled by malware that won't go away, you know where to find us. :mrgreen:

 

One final proceedure to follow. Clear your System Restore Points to prevent reinfection. Simply disable System Restore, then re-enable it to get a clean Restore Point. ;)Y

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...