Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

search paga

Started by apollo7825 , Mar 07 2005 02:15 PM

  • Please log in to reply

#1
apollo7825
Posted 07 March 2005 - 02:15 PM

apollo7825

    New Member

  • Member
  • Pip
  • 3 posts
Hello everyone out there

I have a problem every time I open internet explorer instead of landing on my chosen home page I receive Search paga.com. I have tried to remove it but it keeps coming back. There is also a programme 127058.exe that keeps on placing itself on my desktop, the simple remove proceedure I use does not get rid of it.

I have Ad Aware installed on my computer. I also have the Norman virus and firewall programmes on my computer. I hope someone can help me. Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 20:31:34, on 07-03-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NPFSVICE.EXE
C:\Documents and Settings\Gary\Skrivebord\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pd7.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\WINDOWS\system32\gah95on6.exe
C:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\nvcoas.exe
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NJEEVES.EXE
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NVCSCHED.EXE
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\Nvc\BIN\nipsvc.exe
C:\WINDOWS\inetdata\services.exe
C:\Programmer\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\wisptis.exe
C:\Documents and Settings\Gary\Skrivebord\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.the-exit.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\services.exe
O1 - Hosts: 207.44.240.65 rad.msn.com
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\system32\DSMANA~1.DLL
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKLM\..\Run: [printer] C:\WINDOWS\helpsys.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [yvwlqbqj] C:\WINDOWS\yvwlqbqj.exe
O4 - HKLM\..\Run: [rre7WPM4K] C:\WINDOWS\ldwjtgk.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Programmer\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\services.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.hta
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Programmer\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://netplayer.swdc.dk/Rawflow.cab
O16 - DPF: {0996AF24-960F-753A-34DB-238934176D51} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {0DB0D457-EF33-11D6-51A0-1D090E0403B7} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {25563693-FF9B-33FC-D234-16637B4C6FC7} - http://69.50.182.94/1/rdgDK1837.exe
O16 - DPF: {2D7884E2-DB7A-73EB-46C2-3C8631D0720C} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {2EADA1BC-EB60-0F8A-3B73-0A4B58671DDB} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {34DD008C-7C33-1E91-08B6-7A3552D1B3C3} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {35D50AF7-C2C8-5793-009B-7D83277F9C8A} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {3999FFD6-6C0D-4301-E956-5EA376D1C059} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {47F44CFB-5B5F-7A85-EB75-3B3A454995AB} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4AB095A1-548E-12DE-5043-12776CBB1D37} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4C272F3C-6BFC-43B1-D64E-0D913351A92B} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {662A6B83-904C-475A-5312-0CCE564AE24D} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {666CF7A8-46D3-6C42-2C50-3FD1159ADFDC} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {667F0743-FE92-623E-2FCE-249915FFE118} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {68B42CE2-5A45-65D7-64AE-545F45503A49} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6ABBBBD9-FE97-46B7-C25E-0C922C8B52D4} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6B80D865-36AE-3ADD-1779-79925976386E} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {787F1AB1-8EF1-5709-91A8-0FCA0C0F52C7} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {7A8C576C-4D35-7CCB-2655-780628C35705} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.axis.com/...sCamControl.ocx
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalpho...ionale_ver4.CAB
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O21 - SSODL: System - {B5126E46-756D-43F8-A32B-81F5331E05C0} - C:\WINDOWS\system32\system32.dll
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Documents and Settings\Gary\Skrivebord\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NVCSCHED.EXE
  • 0

Advertisements

#2
rstones12
Posted 08 March 2005 - 01:47 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
apollo7825,
Welcome to the Forum.
I will be reviewing your HJT log.

We are going to need to remove a few things, but first I would like you do to the following: The reason I am asking for these first initial steps is that it can clear up some items in the first part of the fix if needed.

I have outlined some preliminary steps that we need to address. You may want to print out these intructions for reference. This process will take a few steps so please be patient and follow the provided directions.

[1.]
First Download CWShredder
And save it to your desktop.
Close all open browser windows and any other open windows.

Install CWShredder, then:

Open CWS and click Check for Updates
Then click "FIX"

[2.]
Please run at least one of these online scans, allow it to delete anything it finds:
You may have to select the auto-fix option prior to scanning, it should be a selection box on the screen. If you are a dial-up user just do one, this can take some time.
If you are a broadband user, I would suggest at least 2 of the 3. One extra scan is most often times enough.Panda ActiveScan
TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Please make a note of anything that wasn't or couldn't be fixed.
Reboot your machine when finished.

[3.]
You may have run these programs already, make sure they are up to date and run per provided instructions.
Current Versions are:
Spybot S&D Ver: 1.3 Download Here
Ad-Aware SE Build 1.05 Download Here

Download and install both Spybot S&D and Ad-Aware SE.

Instructions:

Spybot S&D:
Go to your Start Menu >> Programs >> Spybot S&D >> then choose Spybot S&D.

*Close ALL windows except Spybot S&D
*Click the button to "Search for Updates" and download and install the Updates.
*Close Spybot then launch it again
*Click the button "Check for Problems"
*When Spybot is done scanning, it will be showing "RED" (RED) entries, "BLACK" entries and "GREEN" (GREEN) entries in the window
*Put a check mark beside the RED (RED) entries ONLY.
*Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.


Ad-Aware SE FULL SCAN:
Go to your Start Menu >> Programs >> Lavasoft Ad-Aware SE >> then choose Ad-Aware SE Personal.

When the main window opens look in the bottom right corner and click on Check For Updates Now then click Connect and download the latest reference files.

From main window:
*Click Start then under Select a scan Mode check Perform Full System Scan.
*Next deselect Search for negligible risk entries.
*To scan just click the Next button.

When the scan has finished mark everything for removal and get rid of it.
(Right-click the window and choose select all from the drop down menu and click Next)
The program will ask if you want to fix/delete selected items, choose yes/fix.

[4.]
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

[5.]
Update your current Virus Scan Definitions:

[6.]
Reboot into Safe Mode and Scan with Spybot S&D and Ad-Aware SE
Then do a scan with your Anti-Virus Software.

[7.]
Delete your temp files:

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty Your Recycle Bin.

[8.]

Reboot normally and post a new HJT log by using Post Reply:


Thanks,
rstones12
  • 0

#3
apollo7825
Posted 10 March 2005 - 01:37 PM

apollo7825

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hello rstones12

Thank you very much for your time and help. After a day returned that unwanted start page (paga search.com). I would have replied sooner to you but I have been a bit tied up with work.

Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 20:28:10, on 10-03-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NPFSVICE.EXE
C:\Documents and Settings\Gary\Skrivebord\NVC\BIN\Zanda.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Media Pass\MediaPass.exe
C:\WINDOWS\system32\gah95on6.exe
C:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\inetdata\winlogon.exe
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\nvcoas.exe
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NJEEVES.EXE
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NVCSCHED.EXE
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\Nvc\BIN\nipsvc.exe
C:\Programmer\Messenger\msmsgs.exe
C:\Documents and Settings\Gary\Skrivebord\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-paga.com/10039/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\system32\DSMANA~1.DLL
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPass.exe
O4 - HKLM\..\Run: [yvwlqbqj] C:\WINDOWS\yvwlqbqj.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Programmer\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://netplayer.swdc.dk/Rawflow.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0996AF24-960F-753A-34DB-238934176D51} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {0DB0D457-EF33-11D6-51A0-1D090E0403B7} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {22F4F69A-0901-7288-FD6F-16FD39E62452} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {25563693-FF9B-33FC-D234-16637B4C6FC7} - http://69.50.182.94/1/rdgDK1837.exe
O16 - DPF: {2D7884E2-DB7A-73EB-46C2-3C8631D0720C} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {2EADA1BC-EB60-0F8A-3B73-0A4B58671DDB} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {34DD008C-7C33-1E91-08B6-7A3552D1B3C3} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {35D50AF7-C2C8-5793-009B-7D83277F9C8A} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {3999FFD6-6C0D-4301-E956-5EA376D1C059} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {41F6E74C-A47D-2A6E-6889-0C7A484E7DD8} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {47F44CFB-5B5F-7A85-EB75-3B3A454995AB} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4AB095A1-548E-12DE-5043-12776CBB1D37} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4C272F3C-6BFC-43B1-D64E-0D913351A92B} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {662A6B83-904C-475A-5312-0CCE564AE24D} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {666CF7A8-46D3-6C42-2C50-3FD1159ADFDC} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {667F0743-FE92-623E-2FCE-249915FFE118} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {68B42CE2-5A45-65D7-64AE-545F45503A49} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6ABBBBD9-FE97-46B7-C25E-0C922C8B52D4} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6B80D865-36AE-3ADD-1779-79925976386E} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {76595F7B-B76F-635F-77D3-2BCE6F5996AF} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {787F1AB1-8EF1-5709-91A8-0FCA0C0F52C7} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {7A8C576C-4D35-7CCB-2655-780628C35705} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.axis.com/...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - http://www.globalpho...ionale_ver4.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NJEEVES.EXE
O23 - Service: Norman Type-R - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Documents and Settings\Gary\Skrivebord\NVC\BIN\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NVCSCHED.EXE
  • 0

#4
rstones12
Posted 10 March 2005 - 09:12 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
apollo7825,
Please follow these instructions, you may want to print out these for a reference.

Go to your Control Panel then Add-Remove Programs.
Remove the following items if found or any variation of these:

AdService
Elite Search
Elite Toolbar

Scan with HJT and place a checkmark next to the following items:
Dont fix anything just yet.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.search-paga.com/10039/
Removed "tt" in http for security reasons

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe

O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\DOWNLO~1\ipreg32.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\system32\DSMANA~1.DLL


O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe
O4 - HKLM\..\Run: [yvwlqbqj] C:\WINDOWS\yvwlqbqj.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe

O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - hxxp://netplayer.swdc.dk/Rawflow.cab

O16 - DPF: {0996AF24-960F-753A-34DB-238934176D51} - hxxp://69.50.182.94/1/rdgDK896.exe Each of these entries

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - hxxp://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - hxxp://207.188.7.150/1166a490c741e80b3220/netzip/RdxIE6.cab

O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} (VacPro.internazionale_ver4) - hxxp://www.globalphon.com/dialer/internazionale_ver4.CAB


Close all browsers and open windows except HJT and click "Fix Checked'

Enable show hidden files and folders:

Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Reboot into safe mode: You can do this by tapping the F8 key while your system starts up. This will take longer to start up so just be patient.

Search and remove the following folders/files:

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inetdata\winlogon.exe<-- Folder
O4 - HKLM\..\Run: [yvwlqbqj] C:\WINDOWS\yvwlqbqj.exe<-- File
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\system32\gah95on6.exe<-- File

Do a scan with the following:
Anti-Virus Software
CWShredder
Ad-Aware
Spbot S&D
Remove anything they find.

Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.

Reboot normally and post back a new HJT log by using "Add Reply"

Thanks,
rstones12
  • 0

#5
apollo7825
Posted 17 March 2005 - 08:04 AM

apollo7825

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Grettings rjstones12

I have done all the things you said but as soon as my computer was finished rebooting appeared a "foreign icon" on my desktop. Sometimes it's called "sex" or "internet". In the windows joblist it appears under processes under the name 125788.dlr.

This is my hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 14:41:03, on 17-03-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NPFSVICE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pd7.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\ukoz\ukozm.exe
C:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Programmer\WebSiteViewer\125788.dlr
C:\Documents and Settings\Gary\Skrivebord\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O1 - Hosts: 69.50.177.254 google.com www.google.com www.gooogle.com gooogle.com
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmer\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [printer] C:\WINDOWS\dstart2.exe
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKLM\..\Run: [sais] c:\programmer\180solutions\sais.exe
O4 - HKLM\..\Run: [qtobsx] C:\WINDOWS\qtobsx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Norman ZANDA] C:\Documents and Settings\Gary\Skrivebord\bin\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKCU\..\Run: [ukoz] C:\PROGRA~1\COMMON~1\ukoz\ukozm.exe
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programmer\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Programmer\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mpeg: C:\Programmer\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Programmer\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {0DB0D457-EF33-11D6-51A0-1D090E0403B7} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {22F4F69A-0901-7288-FD6F-16FD39E62452} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {25563693-FF9B-33FC-D234-16637B4C6FC7} - http://69.50.182.94/1/rdgDK1837.exe
O16 - DPF: {28ABA46F-FE0B-61D5-0D1E-44055FE1AE74} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {2D7884E2-DB7A-73EB-46C2-3C8631D0720C} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {2EADA1BC-EB60-0F8A-3B73-0A4B58671DDB} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {34DD008C-7C33-1E91-08B6-7A3552D1B3C3} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {35D50AF7-C2C8-5793-009B-7D83277F9C8A} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {3999FFD6-6C0D-4301-E956-5EA376D1C059} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {41F6E74C-A47D-2A6E-6889-0C7A484E7DD8} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {47F44CFB-5B5F-7A85-EB75-3B3A454995AB} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4AB095A1-548E-12DE-5043-12776CBB1D37} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4C272F3C-6BFC-43B1-D64E-0D913351A92B} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {54EF1F42-F7F9-430A-72AD-792F09346731} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {662A6B83-904C-475A-5312-0CCE564AE24D} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {666CF7A8-46D3-6C42-2C50-3FD1159ADFDC} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {667F0743-FE92-623E-2FCE-249915FFE118} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {68B42CE2-5A45-65D7-64AE-545F45503A49} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6ABBBBD9-FE97-46B7-C25E-0C922C8B52D4} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6B80D865-36AE-3ADD-1779-79925976386E} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {76595F7B-B76F-635F-77D3-2BCE6F5996AF} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {787F1AB1-8EF1-5709-91A8-0FCA0C0F52C7} - http://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {7A8C576C-4D35-7CCB-2655-780628C35705} - http://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.axis.com/...sCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\Documents and Settings\Gary\Skrivebord\bin\NJEEVES.EXE (file missing)
O23 - Service: Norman Type-R - Unknown owner - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NPFSVICE.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\Documents and Settings\Gary\Skrivebord\bin\ZANDA.EXE (file missing)
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\DOCUMENTS AND SETTINGS\GARY\SKRIVEBORD\nvc\BIN\NVCSCHED.EXE

apollo7825
  • 0

#6
rstones12
Posted 17 March 2005 - 11:40 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
apollo7825,

You have some virus issues going on. Are you currently using Norman Anti-Virus?
If so, have you updated this product and do you have it running.

If you need some suggestion to another Anti-Virus Program I can provide you with some options.

First go to your Control Panel then Add-Remove Programs, remove the following if found or a variation of these.

180Solutions
WebSite Viewer
Ukoz

Scan with HJT and place a checkmark next to the following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks

O1 - Hosts: 69.50.177.254 google.com www.google.com www.gooogle.com gooogle.com

O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll (file missing)

O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKLM\..\Run: [sais] c:\programmer\180solutions\sais.exe
O4 - HKLM\..\Run: [qtobsx] C:\WINDOWS\qtobsx.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\pd7.exe
O4 - HKCU\..\Run: [ukoz] C:\PROGRA~1\COMMON~1\ukoz\ukozm.exe

O16 - DPF: {0DB0D457-EF33-11D6-51A0-1D090E0403B7} - hxxp://69.50.182.94/1/rdgDK896.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - hxxp://static.windupdates.com/cab/CDT/ie/bridge-c7.cab

Each one of the following I removed the "tt" in http for security reasons.

O16 - DPF: {22F4F69A-0901-7288-FD6F-16FD39E62452} - hxxp://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {25563693-FF9B-33FC-D234-16637B4C6FC7} - hxxp://69.50.182.94/1/rdgDK1837.exe
O16 - DPF: {28ABA46F-FE0B-61D5-0D1E-44055FE1AE74} - hxxp://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {2D7884E2-DB7A-73EB-46C2-3C8631D0720C} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {2EADA1BC-EB60-0F8A-3B73-0A4B58671DDB} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {34DD008C-7C33-1E91-08B6-7A3552D1B3C3} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {35D50AF7-C2C8-5793-009B-7D83277F9C8A} - hxxp://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {3999FFD6-6C0D-4301-E956-5EA376D1C059} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {41F6E74C-A47D-2A6E-6889-0C7A484E7DD8} - hxxp://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {47F44CFB-5B5F-7A85-EB75-3B3A454995AB} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4AB095A1-548E-12DE-5043-12776CBB1D37} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {4C272F3C-6BFC-43B1-D64E-0D913351A92B} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {54EF1F42-F7F9-430A-72AD-792F09346731} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {662A6B83-904C-475A-5312-0CCE564AE24D} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {666CF7A8-46D3-6C42-2C50-3FD1159ADFDC} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {667F0743-FE92-623E-2FCE-249915FFE118} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {68B42CE2-5A45-65D7-64AE-545F45503A49} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6ABBBBD9-FE97-46B7-C25E-0C922C8B52D4} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {6B80D865-36AE-3ADD-1779-79925976386E} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {76595F7B-B76F-635F-77D3-2BCE6F5996AF} - hxxp://69.50.182.94/1/rdgDK896.exe
O16 - DPF: {787F1AB1-8EF1-5709-91A8-0FCA0C0F52C7} - hxxp://69.50.182.94/1/rdgDK994.exe
O16 - DPF: {7A8C576C-4D35-7CCB-2655-780628C35705} - hxxp://69.50.182.94/1/rdgDK896.exe

Close all browsers and open windows (This is important to complete the fix) except HJT and click Fix Checked

Enable show hidden files and folders:

Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Reboot into Safe Mode, you can do this by tapping on the F8 key while your system starts up. This will take a little longer to boot up so be patient.

Search your system and remove the following folders/files if found.

C:\WINDOWS\system32\pd7.exe<-- File
C:\programmer\180solutions\sais.exe<-- Folder
C:\WINDOWS\qtobsx.exe<-- File
C:\WINDOWS\system32\pd7.exe<--File
C:\PROGRA~1\COMMON~1\ukoz\ukozm.exe<-- Folder

Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.

Reboot normally and post back a new HJT log by using "Add Reply"

Thanks,
rstones12
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP