what do i do now? [RESOLVED]
#1
Posted 12 May 2005 - 07:17 PM
#2
Guest_usetobe_*
Posted 17 May 2005 - 08:21 AM
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.
Do you still require help or are your problems resolved.
Please let me know and if you still require assistance, please post a fresh HJT log.
Regards,
Usetobe
#3
Posted 18 May 2005 - 06:27 PM
#4
Guest_usetobe_*
Posted 20 May 2005 - 02:13 AM
#5
Posted 25 May 2005 - 07:46 PM
Scan saved at 9:30:15 PM, on 5/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SRVC32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\DESKTOP\SSAAD.EXE
C:\WINDOWS\SYSTEM\SERVICES\{5841B113-432E-4EED-B4A8-830216FA5D1C}\SVCHOST.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\EFFICIENT NETWORKS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\FREECELL.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\4ZCZKJED\HIJACKTHIS[1].EXE
C:\WINDOWS\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBARBHO.DLL
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Local runole service] C:\WINDOWS\System\srvc32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Gateway Ink Monitor] C:\Program Files\Gateway\Gateway Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\WINDOWS\DESKTOP\SSAAD.EXE
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{5841B113-432E-4EED-B4A8-830216FA5D1C}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {5D968526-D110-47C2-999D-6BC4BDC60557} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5D968526-D110-47C2-999D-6BC4BDC60557} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {66A927FC-9B05-4BDD-A654-4459EF7FC16A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {66A927FC-9B05-4BDD-A654-4459EF7FC16A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F9CDC86D-24FA-4F57-A564-E4CBAF9E957D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F9CDC86D-24FA-4F57-A564-E4CBAF9E957D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {45C73EFE-BBAA-42C8-AC11-278567DFE6F4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45C73EFE-BBAA-42C8-AC11-278567DFE6F4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {56A4F656-D43D-4C8F-96BD-E405F59105F4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {56A4F656-D43D-4C8F-96BD-E405F59105F4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.support.f...oad/tgctlcm.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/...gx/GrooveAX.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
#6
Guest_usetobe_*
Posted 26 May 2005 - 12:13 AM
Lets see if we can clear up this mess.
Please read these instructions carefully and print them out! Be sure to follow ALL instructions!
Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.
Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid
Exit Add/Remove Programs.
*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES
I need you open up notepad, to copy all of the Killbox file paths below and paste them into Notepad.
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
* Save it to your desktop.
* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Make sure you can view hidden files.
Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)
FOLDERS to delete (in bold) if found:
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard
While still in Safe Mode, do the following:
Make sure all programs and windows are closed. Run HiJackThis and place a check next to the following items, if found, then click FIX CHECKED
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksear...index.php?aff=9
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBARBHO.DLL
O2- BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [Local runole service] C:\WINDOWS\System\srvc32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{5841B113-432E-4EED-B4A8-830216FA5D1C}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file)
G(N) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file)
G(N) O9 - Extra button: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
G(N) O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {5D968526-D110-47C2-999D-6BC4BDC60557} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {5D968526-D110-47C2-999D-6BC4BDC60557} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {66A927FC-9B05-4BDD-A654-4459EF7FC16A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {66A927FC-9B05-4BDD-A654-4459EF7FC16A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F9CDC86D-24FA-4F57-A564-E4CBAF9E957D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F9CDC86D-24FA-4F57-A564-E4CBAF9E957D} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {45C73EFE-BBAA-42C8-AC11-278567DFE6F4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {45C73EFE-BBAA-42C8-AC11-278567DFE6F4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B0E72A96-D7E7-4A3B-830B-635CEA97CB5A} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {56A4F656-D43D-4C8F-96BD-E405F59105F4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {56A4F656-D43D-4C8F-96BD-E405F59105F4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E6AE8A2F-F4C4-4CD4-A49E-92648BF2AD18} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
Close HiJackThis.
Now using windows explorer, locate the following files and if found, delete them.
C:\PROGRAM FILES\VIEWPOINT\ <<<----ENTIRE FOLDER
C:\WINDOWS\SYSTEM\WER8274.DLL
C:\WINDOWS\System\srvc32.exe
C:\WINDOWS\SYSTEM\Services\{5841B113-432E-4EED-B4A8-830216FA5D1C}\SVCHOST.EXE
C:\WINDOWS\System\spoolsrv32.exe
C:\WP.EXE
C:\WINDOWS\SYSTEM\WLDR.DLL
Reboot into normal mode.
1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.
2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
3.) Download, install, and run CleanUp!
4.) Run this online virus scan: ActiveScan - Save the results from the scan!
Post a new HiJackThis log along with the results from ActiveScan.
#7
Posted 26 May 2005 - 03:50 PM
Attached Files
#8
Guest_usetobe_*
Posted 27 May 2005 - 04:18 AM
#9
Posted 28 May 2005 - 10:16 AM
#10
Guest_usetobe_*
Posted 28 May 2005 - 11:21 AM
You can safely allow S&D to make changes, if they relate to norton, whilst you are updating.
The error you are getting relates to Norton as well.
Personally, i would uninstall Norton and download and install a free Antivirus from Grisoft called AVG....it is very good
avg here
Please also rescan your computer with HJT and post the log back so i can make sure there is no more work to do.
Regards,
Usetobe
#11
Posted 30 May 2005 - 05:33 PM
#12
Posted 04 June 2005 - 08:44 AM
#13
Guest_usetobe_*
Posted 04 June 2005 - 08:56 AM
Is there another way to send you a donation....i am still not comfortable putting my credit card number on line.
It doesn't matter about donating, the satisfaction comes by helping you to clean your system and knowing that you are going away happy.
should i remove the files avg has sent to the virus vault......should i delete them?the program asks if i am sure i want to delete them or empty the vault
Yes you can empty and delete the virus vault
you said i should do another hjl
Yes please, post a new HJT log in this thread so that i can give your system the all clear once i have checked it, together with some more good prevention advice
#14
Posted 05 June 2005 - 04:13 PM
#15
Guest_usetobe_*
Posted 05 June 2005 - 11:38 PM
Rescan your PC with HJT , copy and paste it into this thread, (that is all you need to do, just the HJT THING AND NOTHING ELSE) you do not need to make a new topic, just click on the reply button, and paste into the white box where you type your replies,
Regards,
Usetobe
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users