Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojans etc: running wild [resolved]


  • This topic is locked This topic is locked

#1
Ricky_22

Ricky_22

    Member

  • Member
  • PipPipPip
  • 290 posts
Constantly getting 'Trj/Downloader.ACQ and AQN and other viruses. Cannot open 'control panel' or search, also my documents and others. Have followed all instructions as far as possible. I'm scared to close down my computer incase it won't star proper again

Ricky





Logfile of HijackThis v1.99.0
Scan saved at 11:41:48 AM, on 23/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\netqn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric F. Gordon.PRIVATE-ERIC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bigpond.com/webchannels
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0F1C7655-3424-3D59-0FBE-AC5AAE8D7B58} - C:\WINDOWS\system32\apina32.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 3 10001
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [netqn.exe] C:\WINDOWS\netqn.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...IE601Arcade.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessen...etupProject.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/d...ionale_ver4.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Unknown - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: Panda IManager Service - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\addsy.exe (file missing)
  • 0

Advertisements


#2
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Guess I'm in too much of a mess even for youse guys to help huh :tazz:


What kind of people create and send out this kind of stuff ......... it's really cruel ain't it !





Ricky


.
  • 0

#3
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

Guess I'm in too much of a mess even for youse guys to help huh :tazz:
What kind of people create and send out this kind of stuff ......... it's really cruel ain't it !
Ricky
.

View Post




If I have to re-formatt, I'll lose all my videos and music (about 8 GB ) and me documents and e-mails ...... even my printer don't wanna work from the 'puter now either !


heartaches by the number, headaches by the score
.


.
  • 0

#4
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
You have a nasty About:Blank infection. This fix requires several

tools that need to be downloaded. Please download these now, we will

run them later.

1)

About:Buster
- Download it and extract it to C:/aboutbuster.
2)

CleanUp!
- Download it and install it.
3) CWShredder 2.11

- Download it and save it to your desktop.
4) Ad-

Aware
- Download, install, and update.

Enable hidden files and folders:

http://www.bleepingc...orums/index.php?

showtutorial=62#winme

During the fix do NOT connect to the internet. Unless you

can memorize these instructions, it would be a good idea to print

them out.


Boot into safe mode:
Restart your computer and as soon as it starts booting up again

continuously tap F8. A menu should come up where you will be given

the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file)

to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they

are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0F1C7655-3424-3D59-0FBE-AC5AAE8D7B58} - C:\WINDOWS\system32\apina32.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

What are these? If you didn't put them in your system then fix these also.
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 3 10001


Then delete the following files (if they exist):

C:\WINDOWS\system32\apina32.dll

and these if you removed them in Hijack This

C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 0 10001
C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 3 10001


Reboot into normal mode (simply restart your computer as you normally

would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as

well as the About:Buster log I asked you to save earlier.
  • 0

#5
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

You have a nasty About:Blank infection.  This fix requires several

tools that need to be downloaded.  Please download these now, we will

run them later.

1)

About:Buster
- Download it and extract it to C:/aboutbuster.
2)

CleanUp!
- Download it and install it.
3) CWShredder 2.11

- Download it and save it to your desktop.
4) Ad-

Aware
- Download, install, and update.

Enable hidden files and folders:

http://www.bleepingc...orums/index.php?

showtutorial=62#winme

During the fix do NOT connect to the internet.  Unless you

can memorize these instructions, it would be a good idea to print

them out.


Boot into safe mode:
Restart your computer and as soon as it starts booting up again

continuously tap F8. A menu should come up where you will be given

the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file)

to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they

are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ajoun.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0F1C7655-3424-3D59-0FBE-AC5AAE8D7B58} - C:\WINDOWS\system32\apina32.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)

What are these? If you didn't put them in your system then fix these also.
O4 - HKLM\..\Run: [4.tmp] C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 0 10001
O4 - HKLM\..\Run: [4.tmp.exe] C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 3 10001


Then delete the following files (if they exist):

C:\WINDOWS\system32\apina32.dll

and these if you removed them in Hijack This

C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 0 10001
C:\DOCUME~1\ERICFG~1.PRI\LOCALS~1\Temp\4.tmp.exe 3 10001


Reboot into normal mode (simply restart your computer as you normally

would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as

well as the About:Buster log I asked you to save earlier.

View Post


I can't access the web for the anti-virus scans, I keep getting diverted to a nonsense, sorry and I can't access my control panel to check for program deletion etc: and I keep getting I.E shutdown notices and then it I.E reboots itself, slowly! my Panda antivirus has been corrupted, and the segments that are left I can't get rid of, so it's difficult to d/l again whilst they are still on my computer :tazz:

I have typed this out in 'wordpad' so that I can copy and paste into your site, if I can get there ....
thanks for your help, can you help now ? is there any hope for me at all, please .





Scanned at: 12:17:01 PM on: 26/02/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!



====================================================================


Logfile of HijackThis v1.99.0
Scan saved at 1:16:30 PM, on 26/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\iefk32.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\NeroCheck.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\system32\sdkcx32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Documents and Settings\Eric F. Gordon.PRIVATE-ERIC\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bigpond.com/webchannels
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {005714CD-0630-8CC6-E2CB-ADCEC38BF51A} - C:\WINDOWS\system32\ntaq32.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [sdkcx32.exe] C:\WINDOWS\system32\sdkcx32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...IE601Arcade.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessen...etupProject.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\appxe.exe (file missing)


And those nasties just keep on coming back ! i'm in real despair, is there any hope ? it took me ages to do all you asked, and I followed it quite exactly ......

=================

=========

==========================


I've been trying for days to get back to you ./...... Just now managed, so please don't give up on me, but please I really need help, to lose all that I have, would be almost enough to encourage me to give up computers ... can you help me ? or am I helpless ? truth please ..............,


.
  • 0

#6
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
I undestand your despair, please be patient as we fix this issue adn don't give up, if you do give up then the cretors of the malware have won the battle that I am fighting
  • 0

#7
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

I undestand your despair, please be patient as we fix this issue adn don't give up, if you do give up then the cretors of the malware have won the battle that I am fighting

View Post




Thank you, I'll wait for your instructions,

It's pretty devastating ain't it


Ricky

.
  • 0

#8
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
could you please update to version 1.99.1 of Hijack This by downloading it at http://www.merijn.or.../hijackthis.zip
it is better equipped to handle the newer type entries.

then,
1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-ware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pohem.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {005714CD-0630-8CC6-E2CB-ADCEC38BF51A} - C:\WINDOWS\system32\ntaq32.dll
O4 - HKLM\..\Run: [sdkcx32.exe] C:\WINDOWS\system32\sdkcx32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...IE601Arcade.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessen...etupProject.cab
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\appxe.exe (file missing)


Then delete the following files (if they exist):

C:\WINDOWS\system32\pohem.dll
C:\WINDOWS\system32\ntaq32.dll
C:\WINDOWS\system32\sdkcx32.exe
C:\WINDOWS\system32\iefk32.exe


Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

I realize this seems repetetive but I think the version of Hijack This was the problem.

Edited by Efwis, 26 February 2005 - 01:42 PM.

  • 0

#9
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
I'm having problems, I can't get onto the 'highjackthis' link that you've posted, I'm getting diverted to a nonsense ...... I'll keep trying though



:tazz:
  • 0

#10
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Ricky 22
pm me your email address, I will email it to you
  • 0

Advertisements


#11
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

Ricky 22
pm me your email address, I will email it to you

View Post



I have managed to download it onto my desktop, and extracted them, but now I cannot open the folder, everytime I try to, I.E. reboots :tazz:

I'm sending my e-mail address now, thanks alot


.
  • 0

#12
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
click this link, it is an unzipped version.

http://merijn.org/files/HijackThis.exe
  • 0

#13
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts

click this link, it is an unzipped version.

http://merijn.org/files/HijackThis.exe

View Post




:tazz: yes, that worked a treat ;) will now do the thinggy again, and advise you of results

Thnx heaps :thumbsup:

Ricky
  • 0

#14
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
Oh dear, looks like they all came back again ;)

what d'ye reckon ?


It ain't looking good is it :thumbsup: I'm just hoping I can get back online to post this :tazz:

Ricky .......





Scanned at: 1:58:35 PM on: 27/02/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

No ADS found on system
Attempted Clean Of Temp folder.
Removed LEGACY___NS_Service_3 Key
Pages Reset... Done!


====================================================




Logfile of HijackThis v1.99.1
Scan saved at 2:56:16 PM, on 27/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atloo32.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\sdkcx32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Eric F. Gordon.PRIVATE-ERIC\Desktop\HijackThis.exe 1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bigpond.com/webchannels
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EDD1A398-C8F7-CF1A-2911-C9840D86CEC4} - C:\WINDOWS\system32\winct.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [sdkcx32.exe] C:\WINDOWS\system32\sdkcx32.exe
O4 - HKLM\..\RunOnce: [atloo32.exe] C:\WINDOWS\system32\atloo32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zone...ctor/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Network Security Service (%AF) - Unknown owner - C:\WINDOWS\system32\appxe.exe" /s (file missing)



.
  • 0

#15
Ricky_22

Ricky_22

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 290 posts
I was unable to get to housecall or pandasoftware for virus scan before doing the HJT scan ....... 'it' wouldn't allow me :tazz: then or now ...... it's something very clever/sneaky ain't it !



;) Ricky

.



.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP