Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Really need help...Please help! [CLOSED]

Started by Elker , Jun 11 2005 06:16 AM

  • This topic is locked This topic is locked

#1
Elker
Posted 11 June 2005 - 06:16 AM

Elker

    New Member

  • Member
  • Pip
  • 2 posts
Please help me...I have a problem and need to clear it up and I know that you can help. I am posting my current Hi-Jack This log and need some direction as to what to delete. Thanks in advanced from this 62 year old for your expertise. Hedre is thew log:
Logfile of HijackThis v1.99.1
Scan saved at 5:11:27 AM, on 6/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\System32\msconfig32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\woekd.exe
C:\windows\temp\1.exe
C:\windows\system32\ASCap.exe
C:\windows\system32\CO.exe
C:\WINDOWS\syshost.exe
C:\WINDOWS\System32\KYSVCXD.EXE
C:\WINDOWS\seeve.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\System32\msxct.exe
C:\WINDOWS\piqubt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\program files\180searchassistant\salm.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\gah95on6.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\System32\paqclip.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\WINDOWS\System32\ntsubsys.exe
C:\WINDOWS\sys32.exe
C:\WINDOWS\system32\ASCap.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\Acp2M.exe
C:\Documents and Settings\Dan\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\DbnG4aEV.exe
C:\WINDOWS\System32\DbnG4aEV.exe
C:\WINDOWS\System32\OjqM9Y44.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts: 83.102.165.14 bankofamerica.com
O1 - Hosts: 83.102.165.14 www.bankofamerica.com
O1 - Hosts: 65.109.102.103 wellsfargo.com
O1 - Hosts: 65.109.102.103 www.wellsfargo.com
O1 - Hosts: 83.102.207.5 paypal.com
O1 - Hosts: 83.102.207.5 www.paypal.com
O1 - Hosts: 83.102.207.7 www.lloydstsb.com
O1 - Hosts: 83.102.207.7 lloydstsb.com
O1 - Hosts: 83.102.207.7 www.lloydstsb.co.uk
O1 - Hosts: 83.102.207.7 lloydstsb.co.uk
O1 - Hosts: 83.102.207.10 www.bankone.com
O1 - Hosts: 83.102.207.10 bankone.com
O1 - Hosts: 83.102.207.10 hsbc.com
O1 - Hosts: 83.102.207.10 www.hsbc.com
O1 - Hosts: 83.102.207.10 hsbc.co.uk
O1 - Hosts: 83.102.207.10 www.hsbc.co.uk
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Lsass] C:\woekd.exe
O4 - HKLM\..\Run: [1] C:\windows\temp\1.exe
O4 - HKLM\..\Run: [ASCap.exe] c:\windows\system32\ASCap.exe
O4 - HKLM\..\Run: [CO] C:\windows\system32\CO.exe
O4 - HKLM\..\Run: [3M9QHH239@Z3FH] C:\WINDOWS\System32\Acp2M.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [syshost] C:\WINDOWS\syshost.exe
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteukr32.exe
O4 - HKLM\..\Run: [vZjfrfaGh] C:\WINDOWS\piqubt.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [vÆõÚ)–²%)ßfÏNb½¾õC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\piqubt.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
O4 - HKLM\..\Run: [AutoLoader2F0J1PMRXYaa] "C:\WINDOWS\System32\pertmgr.exe"
O4 - HKLM\..\Run: [2srf35R] pertmgr.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [qfgv] C:\WINDOWS\qfgv.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [JB0pRRd9g] paqclip.exe
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC68077E-F628-4138-A37E-5C837B04E4C5}: NameServer = 64.136.28.120 64.136.20.120
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Sound Sservice Driver (Sound Service) - Unknown owner - C:\WINDOWS\System32\msconfig32.exe
  • 0

Advertisements

#2
kool808
Posted 15 June 2005 - 06:24 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Im kool808

I'm working on your log, as soon as another staff member reviews it I'll post a reply. Thank you for your patience.
  • 0

#3
kool808
Posted 15 June 2005 - 07:57 AM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
I can see that you have a malware infection. This fix requires several tools that need to be downloaded. Please download these now, however we will run them later.
  • Please download Peper Trojan Remover
  • Run, and let terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal).
  • Please download Ewido Security Suite
    * Install ewido security suite
    * Launch ewido, there should be an icon on your desktop double-click it.
    * The program will prompt you to update click the OK button
    * The program will now go to the main screen

    You will need to update ewido to the latest definition files.

    * On the left hand side of the main screen click update
    * Click on Start

    The update will start and a progress bar will show the updates being installed.

    * re-open Ewido Security Suite again
    * Click on scanner
    * Make sure the following boxes are checked before scanning:
    o Binder
    o Crypter
    o Archives
    * Click on Start Scan
    * Let the program scan the machine

    While the scan is in progress you will be prompted to clean files, click OK

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report

    * Click Save report
    * Save the report to your desktop
We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.ne...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.ne...ch?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.ne...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = -
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O1 - Hosts: 83.102.165.14 bankofamerica.com
O1 - Hosts: 83.102.165.14 www.bankofamerica.com
O1 - Hosts: 65.109.102.103 wellsfargo.com
O1 - Hosts: 65.109.102.103 www.wellsfargo.com
O1 - Hosts: 83.102.207.5 paypal.com
O1 - Hosts: 83.102.207.5 www.paypal.com
O1 - Hosts: 83.102.207.7 www.lloydstsb.com
O1 - Hosts: 83.102.207.7 lloydstsb.com
O1 - Hosts: 83.102.207.7 www.lloydstsb.co.uk
O1 - Hosts: 83.102.207.7 lloydstsb.co.uk
O1 - Hosts: 83.102.207.10 www.bankone.com
O1 - Hosts: 83.102.207.10 bankone.com
O1 - Hosts: 83.102.207.10 hsbc.com
O1 - Hosts: 83.102.207.10 www.hsbc.com
O1 - Hosts: 83.102.207.10 hsbc.co.uk
O1 - Hosts: 83.102.207.10 www.hsbc.co.uk
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [Lsass] C:\woekd.exe
O4 - HKLM\..\Run: [1] C:\windows\temp\1.exe
O4 - HKLM\..\Run: [ASCap.exe] c:\windows\system32\ASCap.exe
O4 - HKLM\..\Run: [CO] C:\windows\system32\CO.exe
O4 - HKLM\..\Run: [3M9QHH239@Z3FH] C:\WINDOWS\System32\Acp2M.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [syshost] C:\WINDOWS\syshost.exe
O4 - HKLM\..\Run: [KYK Control Settings] KYSVCXD.EXE
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteukr32.exe
O4 - HKLM\..\Run: [vZjfrfaGh] C:\WINDOWS\piqubt.exe
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [v ÆõÚ)-²%) ßfÏNb½¾ õC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\piqubt.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
O4 - HKLM\..\Run: [AutoLoader2F0J1PMRXYaa] "C:\WINDOWS\System32\pertmgr.exe"
O4 - HKLM\..\Run: [2srf35R] pertmgr.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [qfgv] C:\WINDOWS\qfgv.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\RunServices: [KYK Control Settings] KYSVCXD.EXE
O4 - HKCU\..\Run: [JB0pRRd9g] paqclip.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [KYK Control Settings] KYSVCXD.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo...bs/joysaver.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180search...com/180saax.cab
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe

Make sure to double check the items you have selected,then click Fix Checked.
Now we need to do this in Safe Mode. While rebooting, continuously tap F8 until you are presented with several options. Choose Safe Mode.
  • Uninstallation
    We need to uninstall the following programs:[list]
  • Go to Control Panel > Add/Remove Programs
  • Please locate
    * NZSearch
    * SEP
    * eSyndicate
    * EliteToolBar
    * AutoUpdate
    * Media Access
    * ISTsvc
    * 180searchassistant
    * Internet Optimizer
  • Click Uninstall
  • Confirm with OK
We need to delete the traces of these files:
  • Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

    C:\Program Files\NZSearch\SearchEnh1.dll
    C:\Program Files\SEP\sep.dll
    C:\Program Files\eSyndicate\esyn.dll
    C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
    C:\woekd.exe
    C:\windows\temp\1.exe
    c:\windows\system32\ASCap.exe
    C:\windows\system32\CO.exe
    C:\WINDOWS\System32\Acp2M.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\syshost.exe
    C:\KYSVCXD.EXE
    C:\windows\system32\eliteukr32.exe
    C:\WINDOWS\piqubt.exe
    C:\WINDOWS\seeve.exe
    C:\Program Files\Media Access\MediaAccK.exe
    C:\msxct.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\WINDOWS\System32\ntsubsys.exe
    C:\WINDOWS\System32\pertmgr.exe
    C:\pertmgr.exe
    C:\Program Files\ISTsvc\istsvc.exe
    c:\program files\180searchassistant\salm.exe
    C:\WINDOWS\qfgv.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\WINDOWS\System32\gah95on6.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\WINDOWS\System32\picsvr\picsvr.exe

    Click 'Exit' when done.

    Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.
  • Through Windows Explorer, delete the following folder(s) (in bold):

    C:\Program Files\NZSearch\
    C:\Program Files\SEP\
    C:\Program Files\eSyndicate\
    C:\WINDOWS\EliteToolBar\
    C:\Program Files\AutoUpdate\
    C:\Program Files\Media Access\
    C:\Program Files\ISTsvc\
    c:\program files\180searchassistant\
    C:\Program Files\Internet Optimizer\
    C:\Program Files\NZSearch\

  • Finally, Empty Recycle Bin
We are almost done, but to make sure it is perfectly clean let us have the final check.
  • Reboot to Normal Mode.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.

  • 0

#4
therock247uk
Posted 06 July 2005 - 06:34 PM

therock247uk

    Expert

  • Expert
  • 14,672 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP