Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I think i have a virus hotoffers?/stealth? [RESOLVED]


  • This topic is locked This topic is locked

#1
lgcmjc1

lgcmjc1

    Member

  • Member
  • PipPip
  • 17 posts
I think i have a virus on my computer. I did all the things on the list before i made this post. my computer has been basically taken over by hotoffers or globolook.com, and i can not get rid of it. I have included my log file, please help me my kids can't use the computer because of the pictures that pop-up. I aslo have about 20 icons i can not seem to get rid of as well.

Thank you for your time in advance

lgcmjc1

Logfile of HijackThis v1.99.1
Scan saved at 7:08:47 PM, on 4/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\Owner.HPPAV\My Documents\Z-Files\HijackThis.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\MSLAGENT\4B_1,0,1,2_MSLAGENT.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsr8DB.dll
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105356807\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [cietkc] c:\windows\system32\cietkc.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cnet] "C:\PROGRAM FILES\KONTIKI\BIN\Kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Owner.HPPAV\Local Settings\Temp\{37D8C966-253B-4238-B3B9-D9230357A2DF}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: POWERR~2.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.c.../dpcsysinfo.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downlo...ERVICE_1045.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D5106B0-FA3E-489B-BA19-5415F4E21995}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GeeksToGo.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):

C:\WINDOWS\System32\ap9h4qmo.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Lycos
MBKWBar
MSLAgent
EbatesMoeMoneyMaker

WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINDOWS\MSLAGENT\4B_1,0,1,2_MSLAGENT.DLL (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsr8DB.dll
O2 - BHO: (no name) - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll (file missing)
O3 - Toolbar: MBKWBar - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - C:\Program Files\MBKWBar\IEToolBar.dll
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [cietkc] c:\windows\system32\cietkc.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Owner.HPPAV\Local Settings\Temp\{37D8C966-253B-4238-B3B9-D9230357A2DF}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: POWERR~2.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\ap9h4qmo.exe
C:\WINDOWS\MSLAGENT\
C:\WINDOWS\System32\nsr8DB.dll
C:\Program Files\Lycos\
C:\Program Files\MBKWBar\
C:\WINDOWS\System32\gah95on6.exe
c:\windows\system32\cietkc.exe
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\
C:\Program Files\AWS\ - only if you uninstalled WeatherBug


Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.
  • 0

#3
lgcmjc1

lgcmjc1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I followed your list. HijackThis would not remove R0-HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.hotoffers.info/as0278/ I would check it and it would keep coming back in the scans.

As far as the Deleting files/folders only one i waas able to delete (C:\Program Files\MBKWBar\). The others were either not allowed or could not find, or could be on hard drive.

Here is a current log file from HijacThis

Logfile of HijackThis v1.99.1
Scan saved at 6:27:48 AM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\Owner.HPPAV\My Documents\Z-Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105356807\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cnet] "C:\PROGRAM FILES\KONTIKI\BIN\Kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.c.../dpcsysinfo.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downlo...ERVICE_1045.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D5106B0-FA3E-489B-BA19-5415F4E21995}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you again for your help
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, we will need to use a program to delete those that you can't delete.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

c:\windows\system32\systr.dll
c:\windows\system32\param32.dll

Now I want you to copy and paste all those files I asked you to delete before which you can't and try deleting it using KillBox.

Check and fix this in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/


The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and post a new log.
  • 0

#5
lgcmjc1

lgcmjc1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I was still not able to delete R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/ from HiJack this.

But here is the new log you requested. I believe everything else worked.

Logfile of HijackThis v1.99.1
Scan saved at 8:34:45 PM, on 4/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLHOS~1.EXE
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Documents and Settings\Owner.HPPAV\My Documents\Z-Files\HijackThis.exe
C:\PROGRA~1\AMERIC~1.0A\waol.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AMERIC~1.0A\shellmon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105356807\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cnet] "C:\PROGRAM FILES\KONTIKI\BIN\Kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.c.../dpcsysinfo.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downlo...ERVICE_1045.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank you again for all the help
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK. Do the following now:

Download StartDreck http://www.greyknigh.../StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.
  • 0

#7
lgcmjc1

lgcmjc1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is the StartDreck log:

StartDreck (build 2.1.7 public stable) - 2005-04-27 @ 04:46:08 (GMT -04:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Owner at HPPAV

»Registry
»Run Keys
»Current User
»Run
*AIM=C:\Program Files\AIM\aim.exe -cnetwait.odl
*cnet="C:\PROGRAM FILES\KONTIKI\BIN\Kontiki.exe" -s cnet -q
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
*AOL Fast Start="C:\Program Files\America Online 9.0a\AOL.EXE" -b
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*CTPDPSRV=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*HostManager=C:\Program Files\Common Files\AOL\1105356807\EE\AOLHostManager.exe
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
*QuickTime Task="C:\Program Files\QuickTime\qttask.exe" -atboottime
*Pure Networks Port Magic="C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
*VSOCheckTask="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
*VirusScan Online="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
*MCAgentExe=c:\PROGRA~1\mcafee.com\agent\mcagent.exe
*MCUpdateExe=C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*aolfile_HTM=C:\PROGRA~1\AMERIC~1.0A\aol.exe "%1"
+.html
*aolfile_HTM=C:\PROGRA~1\AMERIC~1.0A\aol.exe "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Microsoft Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Browser Customizations/>{9BAF69C4-CDD9-11D3-8166-0050046160C4}S04947
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Windows Messenger/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4395}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
+Power Policy Settings/{CA0A4247-44BE-11d1-A005-00805F8ABE06}
*StubPath=RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
*Zodiac.ZIBho.2/{029CA12C-89C1-46a7-A3C7-82F2F98635CB}
`InprocServer32=C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://www.msn.com/access/allinone.htm
*Search Page=http://google.com
*Start Page=http://www.hotoffers.info/ad0278/
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
*Provider=yaho
»Default User
*Local Page=C:\WINDOWS\SYSTEM\blank.htm
*Search Bar=
*Search Page=http://www.google.com
*Start Page=http://my.yahoo.com
*SearchAssistant=http://www.google.com
+SearchUrl
*Provider=yaho
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
*Local Page=C:\WINDOWS\SYSTEM32\blank.htm
*Search Bar=http://www.msn.com/access/allinone.htm
*Search Page=http://google.com
*Start Page=http://msn.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
+SearchUrl
»ShellServiceObjectDelayLoad (LM)
*UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1}
`InprocServer32=C:\WINDOWS\System32\upnpui.dll
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Owner.HPPAV\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq A3000 Settings Utility.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout = 30
`default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Home Edition" /fastdetect
*C:\WINDOWS\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=0
`BootGUI=1
`DoubleBuffer=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
*C:\msdos.sys
`[Paths]
`WinDir=C:\WINDOWS
`WinBootDir=C:\WINDOWS
`HostWinBootDrv=C
`[Options]
`BootMulti=1
`BootGUI=1
`;
`;The following lines are required for compatibility with other programs.
`;Do not remove them (MSDOS.SYS needs to be >1024 bytes).
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxa
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxc
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxe
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxf
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxg
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxh
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxi
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxj
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxk
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxl
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxm
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxo
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxq
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxr
`;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs
`AutoScan=1
`WinVer=4.90.3000
*C:\config.sys
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=C:\WINDOWS\System32\THIN-9~2.EXE
`C:\WINDOWS\System32\dsktrf.dll=C:\DOCUME~1\OWNER~1.HPP\LOCALS~1\Temp\WIN32E.tmp
*C:\WINDOWS\winstart.bat
`@C:\WINDOWS\tmpcpyis.bat
*C:\WINDOWS\dosstart.bat
`@echo off
`mscdex.exe /d:IDECD000 /L:M
*C:\WINDOWS\hosts
`217.116.231.7 aimtoday.aol.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
`127.0.0.1 websearch.com
`127.0.0.1 www.websearch.com
`127.0.0.1 advnt01.com
`127.0.0.1 www.advnt01.com
`127.0.0.1 www.xzoomy.com
`127.0.0.1 xzoomy.com
`127.0.0.1 www.adwave.com
`127.0.0.1 adwave.com
`127.0.0.1 topconverting.com
`127.0.0.1 www.topconverting.com
`127.0.0.1 www.ntsearch.com
`127.0.0.1 ntsearch.com
`127.0.0.1 www.incredifind.com
`127.0.0.1 incredifind.com
`127.0.0.1 www.popaware.com
`127.0.0.1 popaware.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.smileycentral.com
`127.0.0.1 smileycentral.com
`127.0.0.1 www.cafreedom.com
`127.0.0.1 cafreedom.com
`127.0.0.1 www.revenue.net
`127.0.0.1 revenue.net
`127.0.0.1 www.hotbar.com
`127.0.0.1 hotbar.com
*C:\WINDOWS\System32\drivers\etc\hosts
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\PCDOC.BAT
*C:\WINDOWS\PCDOC.exe
*C:\WINDOWS\Pcdoc.bat
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\System32\clspack.exe
*C:\WINDOWS\CLSPACK.EXE
+C:\WINDOWS\System32\setver.exe
*C:\WINDOWS\SETVER.EXE
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
»System/Drivers
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
  • 0

#8
lgcmjc1

lgcmjc1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I could not copy and paste the top window in the TSD-3 scan, but here is the scanDump:


Scan Control Dumped @ 09:54:00 27-04-05
Suspicious Filename: Dual extensions
File: c:\windows\pcdoc.bat.pif

Positive identification (DLL): Adware.NewDotNet (dll)
File: c:\program files\common files\aol\aol spyware protection\backup\59557058.asw

Positive identification (DLL): Adware.NewDotNet (dll)
File: c:\program files\common files\aol\aol spyware protection\backup\19434875.asw

Positive identification: Adware.BargainBuddy.h Dropper.a
File: c:\program files\common files\aol\aol spyware protection\backup\19446612.asw

Positive identification: Adware.BargainBuddy.h Dropper.a
File: c:\program files\common files\aol\aol spyware protection\backup\11588022.asw

Positive identification <Adv>: Possible WebDownloader
File: c:\system volume information\_restore{4cab2206-93e8-45bd-8596-7c8f50bde89e}\rp214\a0072721.exe
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Run StartDreck with the same options checked like before. Click on each of the following and hit the Delete button in the program:

*Start Page=http://www.hotoffers.info/ad0278/

To make it easier, I suggest doing a search for the above line (in the forum here) so that you have a rough idea of where it's located in the StartDreck program.

Delete all the backups in this folder -> c:\program files\common files\aol\aol spyware protection\backup\

Go to C:\WINDOWS\ and double click on wininit.ini to open it. Delete these lines:

`NUL=C:\WINDOWS\System32\THIN-9~2.EXE
`C:\WINDOWS\System32\dsktrf.dll=C:\DOCUME~1\OWNER~1.HPP\LOCALS~1\Temp\WIN32E.tmp


Save the file and close it.

Delete this file if it exists -> C:\WINDOWS\System32\THIN-9~2.EXE

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and post a new HijackThis log.
  • 0

#10
lgcmjc1

lgcmjc1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I could not find the file C:\WINDOWS\System32\THIN-9~2.EXE, but everything else seemed to work.

Here is my new log file:


Logfile of HijackThis v1.99.1
Scan saved at 7:59:53 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLHOS~1.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\System32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\Owner.HPPAV\My Documents\Z-Files\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105356807\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cnet] "C:\PROGRAM FILES\KONTIKI\BIN\Kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.c.../dpcsysinfo.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downlo...ERVICE_1045.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D5106B0-FA3E-489B-BA19-5415F4E21995}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank You again
  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, do this now:

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.
  • 0

#12
lgcmjc1

lgcmjc1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
When i click on findit's a messege comes up that it is not suitable to run in ms-dos mode.
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.
  • 0

#14
lgcmjc1

lgcmjc1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here is the findits log:


Volume in drive C is HP_PAVILION
Volume Serial Number is 1216-07D2

Directory of C:\WINDOWS\SYSTEM32

03/20/2005 10:21 AM <DIR> cache32_rtneg2
03/23/2005 09:30 PM <DIR> cache32_rtneg3
0 File(s) 0 bytes
2 Dir(s) 11,353,489,408 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C is HP_PAVILION
Volume Serial Number is 1216-07D2

Directory of C:\WINDOWS\system32

04/25/2005 05:16 AM 3,262 vh e233.ico
02/23/2005 10:27 PM 3,262 ico_bikini49_gif_32x32.ico
02/03/2005 08:47 PM 3,262 killinternetpops32121.ico
02/23/2005 09:22 PM 3,262 hotbod.ico
02/03/2005 08:47 PM 4,286 kevid231231.ico
02/03/2005 08:47 PM 3,262 usaplat123123.ico
02/23/2005 09:22 PM 2,238 safe1.ico
04/14/2005 09:48 PM 1,078 mac02.ico
04/14/2005 09:48 PM 3,262 hotbod123121.ico
04/14/2005 09:48 PM 3,262 kill all spyware41.ico
03/19/2005 08:52 PM 2,998 bball.ico
03/15/2005 05:40 PM 3,262 kas4c1.ico
04/03/2005 05:18 PM 2,238 red_kas1.ico
11/03/2004 08:38 PM 4,286 kevid1.ico
04/14/2005 09:48 PM 3,262 poker112.ico
03/25/2005 06:00 PM 3,262 eye41.ico
03/08/2005 07:41 PM 4,286 mp3red51a.ico
11/13/2004 11:08 PM 3,262 body2.ico
11/10/2004 06:25 PM 1,078 disk01.ico
04/15/2005 02:54 PM 2,238 MP3.ico
03/23/2005 07:48 PM 3,262 kas pink1233a1.ico
04/14/2005 09:47 PM 3,262 bingo_big2.ico
04/25/2005 05:16 AM 3,262 kill spyware1.ico
11/19/2004 08:34 PM 3,262 creditcard21.ico
11/01/2004 04:40 PM 19,942 virushunter21.ico
12/06/2004 08:31 PM 4,286 kill all spyware212345.ico
11/10/2004 06:26 PM 4,286 kill internet popups51.ico
11/19/2004 08:34 PM 4,286 usaplatinum61.ico
12/10/2004 08:08 PM 3,262 usplat151.ico
04/25/2005 05:16 AM 3,262 kill popups.ico
01/02/2005 10:20 AM 19,942 virushunter31.ico
11/04/2004 04:57 AM 2,238 celebslifestyle1.ico
12/06/2004 08:31 PM 3,262 kill evidence 3.ico
12/06/2004 08:31 PM 4,286 internet popup blocker1.ico
12/06/2004 08:31 PM 3,262 yuk or yum.ico
12/10/2004 08:05 PM 4,286 usaplatinum.ico
12/05/2004 08:40 PM 19,942 virushunter1.ico
12/10/2004 08:08 PM 4,286 greenmovie2.ico
12/10/2004 08:08 PM 3,262 xox23_icon.ico
12/10/2004 08:05 PM 4,286 greenmovie.ico
12/10/2004 08:05 PM 3,262 bubbles-ki.ico
12/10/2004 08:08 PM 3,262 bubbles-ke2.ico
01/09/2005 05:36 PM 4,286 datingpof1.ico
01/02/2005 10:20 AM 3,262 killinternetpops32.ico
01/09/2005 05:36 PM 4,286 usaplatinum609.ico
01/09/2005 05:36 PM 16,614 popupblocker231.ico
01/09/2005 05:36 PM 19,942 virushunter231.ico
02/03/2005 08:47 PM 2,526 superbowl1.ico
02/23/2005 09:22 PM 19,942 virushunter1231.ico
02/23/2005 09:22 PM 4,286 greenmovie2311.ico
02/23/2005 09:22 PM 3,262 creditcard32123123123.ico
02/23/2005 09:22 PM 3,262 kas pink1231.ico
02/23/2005 09:24 PM 3,262 yuk or yum 7adsfas1.ico
03/24/2005 07:54 PM 19,942 virus hunter yeah1.ico
04/14/2005 09:48 PM 4,286 moviesorangecirc1.ico
04/14/2005 09:48 PM 3,262 usaplat1231231231.ico
04/15/2005 02:54 PM 766 BlackJack.ico
02/23/2005 09:24 PM 3,262 kas pink123.ico
03/14/2005 08:40 PM 4,286 greenmovie2313asa.ico
03/08/2005 07:41 PM 4,286 pop up blaster.ico
03/08/2005 07:41 PM 4,286 kill all spyware2124124311.ico
03/14/2005 08:40 PM 4,286 mp3 players4sale1.ico
03/14/2005 04:59 PM 2,526 ibm laptop3.ico
03/15/2005 09:21 PM 3,262 conver radio 32x32-21.ico
03/16/2005 09:12 PM 4,286 kill all spywareadsfadsf1.ico
03/25/2005 06:00 PM 4,286 moviescirc2.ico
03/25/2005 06:00 PM 4,286 mp3 players4salea.ico
03/23/2005 07:48 PM 2,526 ibm laptop31.ico
03/29/2005 12:28 PM 3,262 kas pink1233aadsfa1.ico
04/07/2005 06:34 PM 4,286 kevid231231aa.ico
04/03/2005 05:18 PM 4,286 pop up blaster1232131.ico
04/25/2005 05:16 AM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/25/2005 05:16 AM 4,286 mp3red51aads.ico
04/25/2005 05:16 AM 3,262 creditcard32123123123asdsa.ico
04/14/2005 09:47 PM 3,262 popupkiller2asdf1.ico
04/14/2005 09:47 PM 3,262 kas pink1233aadsfa12.ico
04/15/2005 02:54 PM 766 Air Tickets.ico
04/15/2005 02:54 PM 2,238 Online Betting.ico
04/15/2005 02:54 PM 2,238 Car Insurance.ico
04/15/2005 02:54 PM 2,238 Cruises.ico
04/15/2005 02:54 PM 4,534 Remove Spyware.ico
04/15/2005 02:54 PM 2,238 Cheap Cigarettes.ico
04/15/2005 02:54 PM 766 Phentermine.ico
04/15/2005 02:54 PM 766 Online Gambling.ico
04/15/2005 02:54 PM 2,238 Viagra.ico
04/15/2005 02:54 PM 4,606 Credit Card.ico
04/15/2005 02:54 PM 766 Pharmacy.ico
04/15/2005 02:54 PM 2,238 Currency Trading.ico
88 File(s) 399,144 bytes
0 Dir(s) 11,353,489,408 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\_rtneg3

and here is the new Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:39:54 AM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLHOS~1.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\PROGRA~1\COMMON~1\AOL\110535~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner.HPPAV\My Documents\Z-Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105356807\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cnet] "C:\PROGRAM FILES\KONTIKI\BIN\Kontiki.exe" -s cnet -q
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Get It With Kontiki - res://C:\PROGRAM FILES\KONTIKI\BIN\BH309190.DLL/201
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo...g-ob-assets.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webi...Q/bin/WebIQ.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://www.getdway.c.../dpcsysinfo.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...4.21/ttinst.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downlo...ERVICE_1045.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D5106B0-FA3E-489B-BA19-5415F4E21995}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Don't run it yet.

Reboot into Safe Mode by hitting the F8 key until menu shows up. In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\ and delete _rtneg3

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Delete all the following files, which are all located under the C:\WINDOWS\system32\ folder:

cache32_rtneg2 - delete this folder
cache32_rtneg3 - delete this folder
04/25/2005 05:16 AM 3,262 vh e233.ico
02/23/2005 10:27 PM 3,262 ico_bikini49_gif_32x32.ico
02/03/2005 08:47 PM 3,262 killinternetpops32121.ico
02/23/2005 09:22 PM 3,262 hotbod.ico
02/03/2005 08:47 PM 4,286 kevid231231.ico
02/03/2005 08:47 PM 3,262 usaplat123123.ico
02/23/2005 09:22 PM 2,238 safe1.ico
04/14/2005 09:48 PM 1,078 mac02.ico
04/14/2005 09:48 PM 3,262 hotbod123121.ico
04/14/2005 09:48 PM 3,262 kill all spyware41.ico
03/19/2005 08:52 PM 2,998 bball.ico
03/15/2005 05:40 PM 3,262 kas4c1.ico
04/03/2005 05:18 PM 2,238 red_kas1.ico
11/03/2004 08:38 PM 4,286 kevid1.ico
04/14/2005 09:48 PM 3,262 poker112.ico
03/25/2005 06:00 PM 3,262 eye41.ico
03/08/2005 07:41 PM 4,286 mp3red51a.ico
11/13/2004 11:08 PM 3,262 body2.ico
11/10/2004 06:25 PM 1,078 disk01.ico
04/15/2005 02:54 PM 2,238 MP3.ico
03/23/2005 07:48 PM 3,262 kas pink1233a1.ico
04/14/2005 09:47 PM 3,262 bingo_big2.ico
04/25/2005 05:16 AM 3,262 kill spyware1.ico
11/19/2004 08:34 PM 3,262 creditcard21.ico
11/01/2004 04:40 PM 19,942 virushunter21.ico
12/06/2004 08:31 PM 4,286 kill all spyware212345.ico
11/10/2004 06:26 PM 4,286 kill internet popups51.ico
11/19/2004 08:34 PM 4,286 usaplatinum61.ico
12/10/2004 08:08 PM 3,262 usplat151.ico
04/25/2005 05:16 AM 3,262 kill popups.ico
01/02/2005 10:20 AM 19,942 virushunter31.ico
11/04/2004 04:57 AM 2,238 celebslifestyle1.ico
12/06/2004 08:31 PM 3,262 kill evidence 3.ico
12/06/2004 08:31 PM 4,286 internet popup blocker1.ico
12/06/2004 08:31 PM 3,262 yuk or yum.ico
12/10/2004 08:05 PM 4,286 usaplatinum.ico
12/05/2004 08:40 PM 19,942 virushunter1.ico
12/10/2004 08:08 PM 4,286 greenmovie2.ico
12/10/2004 08:08 PM 3,262 xox23_icon.ico
12/10/2004 08:05 PM 4,286 greenmovie.ico
12/10/2004 08:05 PM 3,262 bubbles-ki.ico
12/10/2004 08:08 PM 3,262 bubbles-ke2.ico
01/09/2005 05:36 PM 4,286 datingpof1.ico
01/02/2005 10:20 AM 3,262 killinternetpops32.ico
01/09/2005 05:36 PM 4,286 usaplatinum609.ico
01/09/2005 05:36 PM 16,614 popupblocker231.ico
01/09/2005 05:36 PM 19,942 virushunter231.ico
02/03/2005 08:47 PM 2,526 superbowl1.ico
02/23/2005 09:22 PM 19,942 virushunter1231.ico
02/23/2005 09:22 PM 4,286 greenmovie2311.ico
02/23/2005 09:22 PM 3,262 creditcard32123123123.ico
02/23/2005 09:22 PM 3,262 kas pink1231.ico
02/23/2005 09:24 PM 3,262 yuk or yum 7adsfas1.ico
03/24/2005 07:54 PM 19,942 virus hunter yeah1.ico
04/14/2005 09:48 PM 4,286 moviesorangecirc1.ico
04/14/2005 09:48 PM 3,262 usaplat1231231231.ico
04/15/2005 02:54 PM 766 BlackJack.ico
02/23/2005 09:24 PM 3,262 kas pink123.ico
03/14/2005 08:40 PM 4,286 greenmovie2313asa.ico
03/08/2005 07:41 PM 4,286 pop up blaster.ico
03/08/2005 07:41 PM 4,286 kill all spyware2124124311.ico
03/14/2005 08:40 PM 4,286 mp3 players4sale1.ico
03/14/2005 04:59 PM 2,526 ibm laptop3.ico
03/15/2005 09:21 PM 3,262 conver radio 32x32-21.ico
03/16/2005 09:12 PM 4,286 kill all spywareadsfadsf1.ico
03/25/2005 06:00 PM 4,286 moviescirc2.ico
03/25/2005 06:00 PM 4,286 mp3 players4salea.ico
03/23/2005 07:48 PM 2,526 ibm laptop31.ico
03/29/2005 12:28 PM 3,262 kas pink1233aadsfa1.ico
04/07/2005 06:34 PM 4,286 kevid231231aa.ico
04/03/2005 05:18 PM 4,286 pop up blaster1232131.ico
04/25/2005 05:16 AM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/25/2005 05:16 AM 4,286 mp3red51aads.ico
04/25/2005 05:16 AM 3,262 creditcard32123123123asdsa.ico
04/14/2005 09:47 PM 3,262 popupkiller2asdf1.ico
04/14/2005 09:47 PM 3,262 kas pink1233aadsfa12.ico
04/15/2005 02:54 PM 766 Air Tickets.ico
04/15/2005 02:54 PM 2,238 Online Betting.ico
04/15/2005 02:54 PM 2,238 Car Insurance.ico
04/15/2005 02:54 PM 2,238 Cruises.ico
04/15/2005 02:54 PM 4,534 Remove Spyware.ico
04/15/2005 02:54 PM 2,238 Cheap Cigarettes.ico
04/15/2005 02:54 PM 766 Phentermine.ico
04/15/2005 02:54 PM 766 Online Gambling.ico
04/15/2005 02:54 PM 2,238 Viagra.ico
04/15/2005 02:54 PM 4,606 Credit Card.ico
04/15/2005 02:54 PM 766 Pharmacy.ico
04/15/2005 02:54 PM 2,238 Currency Trading.ico


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart and post back a new HijackThis log.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP