Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Got problems with smitfraud [resolved]

Started by Renegade , May 02 2005 08:07 AM

  • This topic is locked This topic is locked

#1
Renegade
Posted 02 May 2005 - 08:07 AM

Renegade

    Member

  • Member
  • PipPip
  • 25 posts
Here is my HijackThis log...I hope it will be of some use.


Logfile of HijackThis v1.99.1
Scan saved at 16:03:52, on 2005-05-02
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM\VANLIGA FILER\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MINA DOKUMENT\TINAS MOJJS\POJKVäNNENS GREJER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.guhjxqddq...d3VWGFBP_e.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1BF6FA9B-DE4A-2F31-82F8-53F2A264665E} - C:\WINDOWS\APPLICATION DATA\START POLL\HELPPILE.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\asp4setp.exe 3
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program\Vanliga filer\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [Less eq chin does] C:\WINDOWS\Application Data\pop link less eq\SignInside.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Vanliga filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program\Vanliga filer\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRAM\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program\Vanliga filer\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program\Vanliga filer\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [burndart] C:\WINDOWS\APPLIC~1\CLOCKR~1\Live Way Ford.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunServices: [burndart] C:\WINDOWS\APPLIC~1\CLOCKR~1\Live Way Ford.exe
O4 - HKCU\..\RunServices: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunOnce: [burndart] C:\WINDOWS\APPLIC~1\CLOCKR~1\Live Way Ford.exe
O4 - HKCU\..\RunOnce: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunServicesOnce: [burndart] C:\WINDOWS\APPLIC~1\CLOCKR~1\Live Way Ford.exe
O4 - HKCU\..\RunServicesOnce: [WindowsFY] C:\WP.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRAM\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarest...es2/Install.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

Advertisements

#2
Renegade
Posted 03 May 2005 - 05:20 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I have alot of problems with this computer...please help me.



Logfile of HijackThis v1.99.1
Scan saved at 13:22:01, on 2005-05-03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM\VANLIGA FILER\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM\SYMANTEC\LIVEUPDATE\LUCOMSERVER_2_5.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MINA DOKUMENT\TINAS MOJJS\POJKVäNNENS GREJER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ubouycguiwxma...wd3VWGFBP_e.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1BF6FA9B-DE4A-2F31-82F8-53F2A264665E} - C:\WINDOWS\APPLICATION DATA\START POLL\HELPPILE.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\asp4setp.exe 3
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program\Vanliga filer\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [Less eq chin does] C:\WINDOWS\Application Data\pop link less eq\SignInside.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Vanliga filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program\Vanliga filer\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRAM\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program\Vanliga filer\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program\Vanliga filer\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [burndart] C:\WINDOWS\APPLIC~1\CLOCKR~1\Live Way Ford.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRAM\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#3
g2i2r4
Posted 05 May 2005 - 12:18 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Renegade to Geeks to Go!

Please do not open a new topic if it takes a bit longer for us to respond. The forum is very, very busy.

I'll have a look at your log now and post back soon.
  • 0

#4
g2i2r4
Posted 05 May 2005 - 12:23 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
Security IGuard
Virtual Maid
Search Maid
Press ‘delete this item’.
Press ‘back’

***

Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):
C:\wp.exe
C:\wp.bmp
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\WINDOWS\System\helper.exe
C:\WINDOWS\System\intmonp.exe
C:\WINDOWS\System\msmsgs.exe
C:\WINDOWS\System\ole32vbs.exe
C:\WINDOWS\System\msole32.exe
Exit HijackThis.

***

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\WINDOWS\System\helper.exe
C:\WINDOWS\System\intmonp.exe
C:\WINDOWS\System\msmsgs.exe
C:\WINDOWS\System\ole32vbs.exe
C:\WINDOWS\System\msole32.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security Iguard

Reboot into normal mode.

***

* Download and install Registrar Lite.
* Double click the purple Registrar Lite icon on your desktop.
* Copy the line in the box below and paste it into the "Address" field (located at the top) of the program:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
* Click the "Go" button.
* It will take you into the "Policies" folder.
* Locate the "System" folder (in the right panel)
* If found, right-click on the System folder and go to Delete
* Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

***

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

There may also be a number of icons in the system folder that don't belong. Here are some examples:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico

***

Download CleanUp!.
If that doesn’t work, use this link.
Don't run the program, we'll do that later.

Go to options
Select ‘custom’
Put a check to:* empty recycle bins
* scan local drives for temporary files
* CleanUp! All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please do an online scan again, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

Save the results from the scan!

***

Download:
this file

Unzip the file to your desktop.
Doubleclick the file jobs.bat.

Copy and paste the content of the file jobs.txt it creates, here in your answer.


***

Post back here in this topic using the button ‘add reply’:
The results from the AV scan, the test from the file jobs.txt and a fresh log using HijackThis.
  • 0

#5
Renegade
Posted 16 May 2005 - 04:45 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
I found a new problem when I followed your instructions. I can't reboot my computer into Safe Mode.

This way I can't run Killbox. Shall I continue anyway?
  • 0

#6
g2i2r4
Posted 16 May 2005 - 05:53 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

If that doesn't help, perform the advise in normal mode. We'll see what's left.
  • 0

#7
Renegade
Posted 19 May 2005 - 01:12 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
This folder doesn't exist on my computer. I have a Log Files folder, but it is in the C:\Windows\System folder.

C:\Windows\System32\Log Files <-WILL be there!


Do you mean that folder or is it just something wrong with the computer?
  • 0

#8
g2i2r4
Posted 19 May 2005 - 06:49 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
On your computer that folder is indead in Windows/System.
Good on you to check and not ignore. :tazz:
Please remove the folder and move on in the advice.
  • 0

#9
Renegade
Posted 23 May 2005 - 08:53 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
The virus scan showed nothing.

Here is the text from job.bat:


Volymen i enhet C saknar etikett.
Volymen har serienummer 0E63-13E5.
Katalog i C:\WINDOWS\Tasks

0AB8B9~1 JOB 224 05-05-23 16.00 0AB8B9C59182EF5E.job
ABE616~1 JOB 224 05-05-23 16.00 ABE6164E6E6BEE67.job
4719CE~1 JOB 224 05-05-23 16.00 4719CE396E69D78C.job
9753B4~1 JOB 224 05-05-23 16.00 9753B47D91807F44.job
655DAC~1 JOB 214 05-05-23 16.00 655DACE66E7D06ED.job
AAB7B3~1 JOB 214 05-05-23 16.00 AAB7B32E9181E6A7.job
2DA2A3~1 JOB 214 05-05-23 16.00 2DA2A3D091970783.job
SYMANT~1 JOB 328 05-05-23 14.04 Symantec NetDetect.job
TUNE-U~1 JOB 502 05-05-07 23.00 Tune-up Application Start.job
9 fil(er) 2 368 byte
0 kat 1 803.12 MB ledigt


Here is the logfile from HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 16:56:39, on 2005-05-23
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM\MSN MESSENGER\MSNMSGR.EXE
C:\MINA DOKUMENT\TINAS MOJJS\POJKVäNNENS GREJER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uuxmfggxl...d3VWGFBP_e.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\asp4setp.exe 3
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Vanliga filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program\Vanliga filer\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRAM\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program\Vanliga filer\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program\Vanliga filer\Symantec Shared\ccEvtMgr.exe"
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRAM\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#10
g2i2r4
Posted 23 May 2005 - 12:07 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Copy and paste the text from the box to an empty file in Notepad.
%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h 0AB8B9C59182EF5E.job
attrib -r -s -h ABE6164E6E6BEE67.job
attrib -r -s -h 4719CE396E69D78C.job
attrib -r -s -h 9753B47D91807F44.job
attrib -r -s -h 655DACE66E7D06ED.job
attrib -r -s -h AAB7B32E9181E6A7.job
attrib -r -s -h 2DA2A3D091970783.job
del 0AB8B9C59182EF5E.job
del ABE6164E6E6BEE67.job
del 4719CE396E69D78C.job
del 9753B47D91807F44.job
del 655DACE66E7D06ED.job
del AAB7B32E9181E6A7.job
del 2DA2A3D091970783.job

Save the file:
name : remjob.bat
location: desktop
type : all types

Close Notepad.

Doubleclick remjob.bat on your desktop.

Run jobs.bat again. Post the content of the new file job.txt here in your answer.

***

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect.

***

Next please run HijackThis, click Scan, and check:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uuxmfggxl...d3VWGFBP_e.html

O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {4B3879E0-B71C-11D9-9A40-000D88B27ED9} - (no file) (HKCU)

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe

Close all open windows except for HijackThis and click Fix Checked.

***

please run Killbox.
Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\WINDOWS\System\helper.exe
C:\WINDOWS\System\intmonp.exe
C:\WINDOWS\System\msmsgs.exe
C:\WINDOWS\System\ole32vbs.exe
C:\WINDOWS\System\msole32.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Post back here with a fresh log using HijackThis.
  • 0

#11
Renegade
Posted 24 May 2005 - 05:10 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Job.bat shows:



Volymen i enhet C saknar etikett.
Volymen har serienummer 0E63-13E5.
Katalog i C:\WINDOWS\Tasks

SYMANT~1 JOB 328 05-05-23 18.04 Symantec NetDetect.job
TUNE-U~1 JOB 502 05-05-07 23.00 Tune-up Application Start.job
2 fil(er) 830 byte
0 kat 1 320.87 MB ledigt



Here is the logfile from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 13:13:48, on 2005-05-24
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM\ULEAD SYSTEMS\ULEAD PHOTO EXPLORER 8.0 SE BASIC\MONITOR.EXE
C:\PROGRAM\VANLIGA FILER\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM\MSN MESSENGER\MSNMSGR.EXE
C:\MINA DOKUMENT\TINAS MOJJS\POJKVäNNENS GREJER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Aktivitetsfältet] SysTray.Exe
O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\asp4setp.exe 3
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program\Vanliga filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program\Vanliga filer\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRAM\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program\Vanliga filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program\Vanliga filer\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program\Vanliga filer\Symantec Shared\ccEvtMgr.exe"
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRAM\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

#12
g2i2r4
Posted 24 May 2005 - 06:06 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
The log looks clean at this end. How are things on your end?
  • 0

#13
Renegade
Posted 24 May 2005 - 07:30 AM

Renegade

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Everything seems fine here. Except that the computer is really slow but I can't ask for everything.

Thank you so much for your time and help.
  • 0

#14
g2i2r4
Posted 24 May 2005 - 12:10 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You used cleanup!

That cleans up quite a bit most of the time. I'd recommend defragmenting the disk.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware, Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP