Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help please


  • Please log in to reply

#1
bigcc9

bigcc9

    New Member

  • Member
  • Pip
  • 2 posts
I am having trouble removing some stuff from my computer. I have run webroot spysweeper and whatever is on my computer will only allow me to run it in safe mode. I have tried Ewido and it recognizes something but does not remove it upon reboot. I have tried to use the free panda active scan, but every time I click the link to scan, my browser is hijacked. I ran hijackthis and got the following log:

Logfile of HijackThis v1.99.1
Scan saved at 9:17:25 PM, on 5/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.16.201/sb/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipcons.biz/index.php?id=36779
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {2E246FAE-8420-11D9-870D-000C2917DE7F} - (no file)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ Agent] C:\WINDOWS\System32\kbdhofmt.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Internet Themes] C:\WINDOWS\System32\hnetetup.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{7008382E-03F4-4EF1-8055-88D2E33F85A6}\SVCHOST.EXE
O4 - HKLM\..\Run: [Disk Keeper] C:\WINDOWS\System32\Services\{7008382E-03F4-4EF1-8055-88D2E33F85A6}\SECURITY.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Cookie Washer\washidx.exe "chris"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ComcastHSI - {6B8442F1-1AC2-43CD-811C-E5F0E3899E06} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {964B6F8D-7A46-4E23-BB67-A576CE5B05E9} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {964B6F8D-7A46-4E23-BB67-A576CE5B05E9} - (no file) (HKCU)
O9 - Extra button: Help - {A3D32B80-9F65-4294-8F75-D7BE8E5CC145} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C2C2B217-1A47-4089-95BC-06F85A986165} - http://www.comcastsupport.com (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O21 - SSODL: WebControl Agent - {BAE69619-501D-4032-923F-C007E8C3E367} - C:\WINDOWS\System32\mapiache.dll
O21 - SSODL: LIRrPLIP - {3979150B-93D3-BFA1-8EEF-590666528D57} - C:\WINDOWS\System32\npmw.dll (file missing)
O21 - SSODL: Agent Connection - {7E2BE2BB-BBE6-49CD-ACCD-4BF09B713CFC} - C:\WINDOWS\System32\ntmsgsvc.dll
O21 - SSODL: System - {698C1B08-27FB-4988-8C4F-653E3B1B329D} - v_sys.dll (file missing)

Any help would be greatly appreciated!!!!!! Thanks in advance
  • 0

Advertisements


#2
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
bigcc9

bigcc9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi

I tried to download the Service pack, but when I click on the download.......My browser was hijacked. Is there any way to remove what is causing it and then download the service pack? Because whatever I have on the computer will not let me download anything.

Thanks
  • 0

#4
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
hi bigcc,

well, lets try and get you cleaned up enough so you can get SP1a. after that we can finish the clean up process. It appears that your log was run in safe mode, so the removal instructions I have listed below should allow you get the service pack, after that post a fresh Hijack this from Normal mode.

First we need to insure your internet connection stays connected during the download of SP1a.

Please Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and remove all traces of c:\windows\system32\flsmngr.dll. Reboot.



You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.16.201/sb/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipcons.biz/index.php?id=36779
O2 - BHO: (no name) - {2E246FAE-8420-11D9-870D-000C2917DE7F} - (no file)

O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and [b]let us know how your system's working
. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP