Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rundll error i ran hijackthis [RESOLVED]


  • This topic is locked This topic is locked

#1
gershuni8

gershuni8

    Member

  • Member
  • PipPip
  • 19 posts
:tazz:
I think it is slowing down my computer (laptop) and also messing with my internet access. PLEASE HELP. thank you very much.


Logfile of HijackThis v1.99.1
Scan saved at 1:14:12 PM, on 3/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\java.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\bqqouey.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\dbnaccrc.exe
C:\WINDOWS\System32\dderslvr.exe
c:\program files\180solutions\sais.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: (no name) - {FF7AFA4F-FC8F-4604-BB42-C7492DC282C0} - C:\WINDOWS\System32\lbpn.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [AXrf] C:\WINDOWS\bqqouey.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\Gershon\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [rajetax] C:\WINDOWS\rajetax.exe
O4 - HKLM\..\Run: [rs5g34U] dderslvr.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [aBumRQY3V] dbnaccrc.exe
O4 - Startup: eTomi Pro On Startup.lnk = C:\Program Files\eTomiPro\Gui\etomipro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c9.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O18 - Filter: text/html - {2DDD95DC-AD53-4797-A51C-C98F382D7821} - C:\WINDOWS\System32\lbpn.dll
O18 - Filter: text/plain - {2DDD95DC-AD53-4797-A51C-C98F382D7821} - C:\WINDOWS\System32\lbpn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Welcome to Geeks to Go!
If you still need help with your system, please post a new HiJackthis log.
  • 0

#3
gershuni8

gershuni8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:22:21 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\bqqouey.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\180solutions\sais.exe
C:\WINDOWS\System32\dderslvr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Ziaz\Bbeez.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\windows\system32\bdjmue.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\windows\system32\calc.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\OutLaster\shhost.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLHOS~1.EXE
C:\WINDOWS\System32\dbnaccrc.exe
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLServiceHost.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\zey3l6a.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 66.38.215.115 kazza.com
O1 - Hosts: 66.38.215.115 www.kazza.com
O1 - Hosts: 66.38.215.115 kaza.com
O1 - Hosts: 66.38.215.115 www.kaza.com
O1 - Hosts: 66.38.215.115 kaaza.com
O1 - Hosts: 66.38.215.115 www.kaaza.com
O1 - Hosts: 66.38.215.115 kahza.com
O1 - Hosts: 66.38.215.115 www.kahza.com
O1 - Hosts: 66.38.215.115 edonkey.com
O1 - Hosts: 66.38.215.115 www.edonkey.com
O1 - Hosts: 66.38.215.115 emule.com
O1 - Hosts: 66.38.215.115 www.emule.com
O1 - Hosts: 66.38.215.115 suprnova.com
O1 - Hosts: 66.38.215.115 www.suprnova.com
O1 - Hosts: 64.124.166.37 klite.com
O1 - Hosts: 64.124.166.37 www.klite.com
O1 - Hosts: 64.124.166.37 k-lite.com
O1 - Hosts: 64.124.166.37 www.k-lite.com
O1 - Hosts: 64.124.166.37 www.kazzalite.com
O1 - Hosts: 64.124.166.37 kazalite.com
O1 - Hosts: 64.124.166.37 www.kazalite.com
O1 - Hosts: 64.124.166.37 kaazalite.com
O1 - Hosts: 64.124.166.37 www.kaazalite.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\i6dcq0j.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {FF7AFA4F-FC8F-4604-BB42-C7492DC282C0} - C:\WINDOWS\System32\lbpn.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [AXrf] C:\WINDOWS\bqqouey.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\Gershon\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [rajetax] C:\WINDOWS\rajetax.exe
O4 - HKLM\..\Run: [rs5g34U] dderslvr.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112278956\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Vrrosba] C:\Program Files\Ziaz\Bbeez.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [bdjmue] c:\windows\system32\bdjmue.exe
O4 - HKLM\..\Run: [morphstb] C:\WINDOWS\morphstb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [shhost] C:\Program Files\OutLaster\shhost.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\RunOnce: [xhagqy.exe] C:\WINDOWS\System32\xhagqy.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [aBumRQY3V] dbnaccrc.exe
O4 - HKCU\..\RunOnce: [xhagqy.exe] C:\WINDOWS\System32\xhagqy.exe /k
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by WebHancer
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c9.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O18 - Filter: text/html - {2DDD95DC-AD53-4797-A51C-C98F382D7821} - C:\WINDOWS\System32\lbpn.dll
O18 - Filter: text/plain - {2DDD95DC-AD53-4797-A51C-C98F382D7821} - C:\WINDOWS\System32\lbpn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please go to Start > Control Panel > Add or Remove Programs and remove the following programs:

New.Net (anything that says New.Net)
WebHancer

Post a new HiJackThis log.
  • 0

#5
gershuni8

gershuni8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:01:42 AM, on 4/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\bqqouey.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\program files\180solutions\sais.exe
C:\WINDOWS\rajetax.exe
C:\WINDOWS\System32\dderslvr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Ziaz\Bbeez.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\windows\system32\bdjmue.exe
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\OutLaster\shhost.exe
C:\windows\system32\calc.exe
C:\WINDOWS\System32\dbnaccrc.exe
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 66.38.215.115 kazza.com
O1 - Hosts: 66.38.215.115 www.kazza.com
O1 - Hosts: 66.38.215.115 kaza.com
O1 - Hosts: 66.38.215.115 www.kaza.com
O1 - Hosts: 66.38.215.115 kaaza.com
O1 - Hosts: 66.38.215.115 www.kaaza.com
O1 - Hosts: 66.38.215.115 kahza.com
O1 - Hosts: 66.38.215.115 www.kahza.com
O1 - Hosts: 66.38.215.115 edonkey.com
O1 - Hosts: 66.38.215.115 www.edonkey.com
O1 - Hosts: 66.38.215.115 emule.com
O1 - Hosts: 66.38.215.115 www.emule.com
O1 - Hosts: 66.38.215.115 suprnova.com
O1 - Hosts: 66.38.215.115 www.suprnova.com
O1 - Hosts: 64.124.166.37 klite.com
O1 - Hosts: 64.124.166.37 www.klite.com
O1 - Hosts: 64.124.166.37 k-lite.com
O1 - Hosts: 64.124.166.37 www.k-lite.com
O1 - Hosts: 64.124.166.37 www.kazzalite.com
O1 - Hosts: 64.124.166.37 kazalite.com
O1 - Hosts: 64.124.166.37 www.kazalite.com
O1 - Hosts: 64.124.166.37 kaazalite.com
O1 - Hosts: 64.124.166.37 www.kaazalite.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\i6dcq0j.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FF7AFA4F-FC8F-4604-BB42-C7492DC282C0} - C:\WINDOWS\System32\lbpn.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [AXrf] C:\WINDOWS\bqqouey.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\Gershon\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [rajetax] C:\WINDOWS\rajetax.exe
O4 - HKLM\..\Run: [rs5g34U] dderslvr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112278956\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Vrrosba] C:\Program Files\Ziaz\Bbeez.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [bdjmue] c:\windows\system32\bdjmue.exe
O4 - HKLM\..\Run: [morphstb] C:\WINDOWS\morphstb.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [shhost] C:\Program Files\OutLaster\shhost.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\RunOnce: [xhagqy.exe] C:\WINDOWS\System32\xhagqy.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [aBumRQY3V] dbnaccrc.exe
O4 - HKCU\..\RunOnce: [xhagqy.exe] C:\WINDOWS\System32\xhagqy.exe /k
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c9.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{579E374A-2A26-49C1-8DAD-8DE927AD5C53}: NameServer = 205.188.146.145
O18 - Filter: text/html - {2DDD95DC-AD53-4797-A51C-C98F382D7821} - C:\WINDOWS\System32\lbpn.dll
O18 - Filter: text/plain - {2DDD95DC-AD53-4797-A51C-C98F382D7821} - C:\WINDOWS\System32\lbpn.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, let's get a few things out of the way so I can see what I'm doing better...

Please print these instructions before continuing!

Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to these items and click FIX CHECKED:

O1 - Hosts: 66.38.215.115 kazza.com
O1 - Hosts: 66.38.215.115 www.kazza.com
O1 - Hosts: 66.38.215.115 kaza.com
O1 - Hosts: 66.38.215.115 www.kaza.com
O1 - Hosts: 66.38.215.115 kaaza.com
O1 - Hosts: 66.38.215.115 www.kaaza.com
O1 - Hosts: 66.38.215.115 kahza.com
O1 - Hosts: 66.38.215.115 www.kahza.com
O1 - Hosts: 66.38.215.115 edonkey.com
O1 - Hosts: 66.38.215.115 www.edonkey.com
O1 - Hosts: 66.38.215.115 emule.com
O1 - Hosts: 66.38.215.115 www.emule.com
O1 - Hosts: 66.38.215.115 suprnova.com
O1 - Hosts: 66.38.215.115 www.suprnova.com
O1 - Hosts: 64.124.166.37 klite.com
O1 - Hosts: 64.124.166.37 www.klite.com
O1 - Hosts: 64.124.166.37 k-lite.com
O1 - Hosts: 64.124.166.37 www.k-lite.com
O1 - Hosts: 64.124.166.37 www.kazzalite.com
O1 - Hosts: 64.124.166.37 kazalite.com
O1 - Hosts: 64.124.166.37 www.kazalite.com
O1 - Hosts: 64.124.166.37 kaazalite.com
O1 - Hosts: 64.124.166.37 www.kaazalite.com


Please download the programs listed below, but do not run them yet:

1) About:Buster:
*Download it and extract it to C:/aboutbuster.
*Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
*Click "OK" at the prompt with instructions.
*Click "Update" and then "Check For Update" to begin the update process.
*If any updates exist please download them by clicking "Download Update".
*You should not run the program yet so click "Exit".
2) CleanUp! - Download it and install it.
3) CWShredder - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run a scan. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".

Reboot your computer into Safe Mode. You can do this by restarting your computer and continuously tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run AboutBuster and save the logs
*Browse to where you saved AboutBuster and run AboutBuster.exe.
*Click "OK" at the directions Read: Important! prompt.
*Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
*Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
*Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
*When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
Click "Exit" and "Exit" again to exit AboutBuster.

Run CleanUp!
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
Reconfigure Ad-Aware for Full Scan as per the following instructions:
In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:
1) Automatically save log-file
2) Automatically quarantine objects prior to removal
3) Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:
1) Scan within archives
2) Scan active processes
3) Scan registry
4) Deep scan registry
4) Scan my IE Favorites for banned URLs
5) Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:
1) Unload recognized processes & modules during scanning
2) Obtain command line of scanned processes
3) Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:
1) Always try to unload modules before deletion
2) During removal, unload Explorer and IE if necessary
3) Let Windows remove files in use at next reboot
4) Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:
1) Automatically select problematic objects in results lists
2) Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom left side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects.

Reboot in normal mode.

Please run BOTH of these online virus scans:
TrendMicro's HouseCall - check "Auto Clean"
ActiveScan

Save the results from ActiveScan and paste them here along with a new HiJackThis log.

Then we will finish cleaning your system.
  • 0

#7
gershuni8

gershuni8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
This is the active scan results:

Incident Status Location

Adware:Adware/Adtomi No disinfected C:\Documents and Settings\Gershon\Local Settings\Temp\75g3v.sys
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\GMT\GMT.exe
Adware:Adware/Adtomi No disinfected C:\Program Files\HijackThis\backups\backup-20050329-115239-479.dll
Adware:Adware/InstaFinder No disinfected C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
Adware:Adware/InstaFinder No disinfected C:\Program Files\INSTAFINK\instafink.dll
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccC.dll
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccK.exe
Virus:Trj/Downloader.BHO Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\4567B31A-2032-446A-BF5F-1185C1\4386D6E8-7E25-487D-B273-353CBA
Virus:Trj/Downloader.BHO Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\A93DEF66-C463-43C2-953A-36206A\F71A8553-B975-4E8F-B828-05CB5A
Virus:Trj/Downloader.BHO Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F864F94B-7260-457E-ACF9-29E574\E4DE346C-29AC-4B87-88FA-41F632
Virus:Trj/Downloader.QH No disinfected C:\Program Files\OutLaster\shhost.exe
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Ziaz\Bbeez.exe
Adware:Adware/Adtomi No disinfected C:\WINDOWS\75g3v.sys
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\bqqouey.exe
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/WebHancer No disinfected C:\WINDOWS\LastGood\whAgent.inf
Virus:Trj/Downloader.BHM Disinfected C:\WINDOWS\msxmidi.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\75g3v.sys
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\dbnaccrc.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\dderslvr.exe
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\i6dcq0j.dll
Virus:Trj/Downloader.BHM Disinfected C:\WINDOWS\system32\init32m.exe
Virus:Trj/Downloader.BHO Disinfected C:\WINDOWS\system32\spoolsrv32.exe
Adware:Adware/Adtomi No disinfected C:\WINDOWS\system32\xhagqy.exe
Adware:Adware/StartPage.DE No disinfected C:\WINDOWS\Web\desktop.html
-----------------------------------------------------------------------------------------------
This is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:36:30 PM, on 4/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\dderslvr.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Ziaz\Bbeez.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\dbnaccrc.exe
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\i6dcq0j.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AXrf] C:\WINDOWS\bqqouey.exe
O4 - HKLM\..\Run: [rs5g34U] dderslvr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112278956\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Vrrosba] C:\Program Files\Ziaz\Bbeez.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunOnce: [xhagqy.exe] C:\WINDOWS\System32\xhagqy.exe /k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [aBumRQY3V] dbnaccrc.exe
O4 - HKCU\..\RunOnce: [xhagqy.exe] C:\WINDOWS\System32\xhagqy.exe /k
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{579E374A-2A26-49C1-8DAD-8DE927AD5C53}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thank you so much for all your help.
Gershuni8
PS: I wanted to know how to delete the adultsearch toolbar in internet explorer.
  • 0

#8
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I will review your log and be back as soon as possible. In the meantime, I recommend removing the p2p program from your computer (imesh) otherwise we may see you back here shortly after we get you clean...but it's your computer - just my recommendation. :tazz:
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please follow these instructions exactly! I recommend printing this page and putting a check next to each file path after they are put into Killbox so that you do not miss any!

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\system32\dbnaccrc.exe
C:\WINDOWS\system32\xhagqy.exe
C:\Documents and Settings\Gershon\Local Settings\Temp\75g3v.sys
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\HijackThis\backups\backup-20050329-115239-479.dll
C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
C:\Program Files\INSTAFINK\instafink.dll
C:\Program Files\Media Access\MediaAccC.dll
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\OutLaster\shhost.exe
C:\Program Files\Ziaz\Bbeez.exe
C:\WINDOWS\75g3v.sys
C:\WINDOWS\bqqouey.exe
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
C:\WINDOWS\Downloaded Program Files\ysbactivex.dll
C:\WINDOWS\inf\ceres.inf
C:\WINDOWS\inf\farmmext.inf
C:\WINDOWS\LastGood\whAgent.inf
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\75g3v.sys
C:\WINDOWS\system32\dderslvr.exe
C:\WINDOWS\system32\i6dcq0j.dll
C:\WINDOWS\Web\desktop.html


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

Post a new HiJackThis log.
  • 0

#10
gershuni8

gershuni8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:35:29 AM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLServiceHost.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\i6dcq0j.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [AXrf] C:\WINDOWS\bqqouey.exe
O4 - HKLM\..\Run: [rs5g34U] dderslvr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112278956\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Vrrosba] C:\Program Files\Ziaz\Bbeez.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [aBumRQY3V] dbnaccrc.exe
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c9.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Press CTRL ALT DELETE and end the following process:

istsvc.exe

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

ISTsvc (IST bar)
Media Access


Then, Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Gershon\LOCALS~1\Temp\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL (file missing)
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\i6dcq0j.dll (file missing)

O4 - HKLM\..\Run: [AXrf] C:\WINDOWS\bqqouey.exe
O4 - HKLM\..\Run: [rs5g34U] dderslvr.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Vrrosba] C:\Program Files\Ziaz\Bbeez.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [aBumRQY3V] dbnaccrc.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c9.cab


*IMPORTANT* CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Reboot your computer into Safe Mode. You can do this by restarting your computer and continuously tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Make sure you can view hidden files.

Using Windows Explorer (not by "search") Delete the following items, if found (in bold):

C:\Windows\dbnaccrc.exe
C:\Program Files\ISTsvc <-Folder
C:\Program Files\Ziaz <-Folder
C:\Program Files\Media Access <-Folder
C:\WINDOWS\bqqouey.exe
C:\WINDOWS\dderslvr.exe
C:\WINDOWS\system32\i6dcq0j.dll
C:\Documents and Settings\Gershon\Local Settings\Temp\se.dll

Reboot into normal mode and post a new HiJackThis log.
  • 0

#12
gershuni8

gershuni8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:28:04 PM, on 4/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111227~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112278956\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
How is it running??
  • 0

#14
gershuni8

gershuni8

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I think everything is fixed. Thank you so much. I really appreciate all of your time and help.
Gershuni8 :tazz:
  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're welcome!

Congratulations your log is clean! Great job on the clean up :tazz:

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP