Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help please adware toolbar and homepage

Started by biggam , Jun 19 2005 03:57 AM

  • This topic is locked This topic is locked

#1
biggam
Posted 19 June 2005 - 03:57 AM

biggam

    Member

  • Member
  • PipPip
  • 76 posts
hi

i went on to a site and my firewall kept asking me if i should let this strange programs go through i said no to all of them then when i came out of the site i was a icon on the destop (forgot the name) i went add/remove and removed it . also there is a toolbar that i can't get rid of and when i open IE it goes to my home page(google) for like 1 sec then goes to some IE search or something like that but if i click on homepage again it stays on homepage.

Logfile of HijackThis v1.99.1
Scan saved at 02:58:50, on 19/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Amr\Desktop\fix virus\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral...hp?v=4&aff=3156
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral...hp?v=4&aff=3156
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\udsqc.dll
O2 - BHO: Internet Explorer Hot Fix - {3EECD3FA-FC9F-42B1-95E2-131912982363} - C:\WINDOWS\System32\kidzo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\udsqc.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\amr\local settings\temp\fsg_4203.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://204.157.0.193...va/cfs40320.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co.../ysb_cracks.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...es...egular.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...me...loader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c....c...mplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01A1B166-0D6E-44F7-BE75-D0E39C154969}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{12F820C2-DD83-4E87-BA85-9BFA0799F483}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{477EDD8A-FBFA-4ECD-A7B3-0585219A9567}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3B43FD7-67F3-45FF-B8D3-7104B4C2EEF1}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB424F77-B64D-4872-B97C-5CBA7BCE9101}: NameServer = 213.208.106.213 213.208.106.212
O17 - HKLM\System\CS1\Services\Tcpip\..\{01A1B166-0D6E-44F7-BE75-D0E39C154969}: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements

#2
Trevuren
Posted 19 June 2005 - 07:14 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi biggam, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log. Your system needs a lot of attention.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Close all browser windows and RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral...hp?v=4&aff=3156
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral...hp?v=4&aff=3156
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\udsqc.dll
O2 - BHO: Internet Explorer Hot Fix - {3EECD3FA-FC9F-42B1-95E2-131912982363} - C:\WINDOWS\System32\kidzo.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\udsqc.dll
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\amr\local settings\temp\fsg_4203.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://204.157.0.193...va/cfs40320.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co.../ysb_cracks.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...es...egular.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01A1B166-0D6E-44F7-BE75-D0E39C154969}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{12F820C2-DD83-4E87-BA85-9BFA0799F483}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{477EDD8A-FBFA-4ECD-A7B3-0585219A9567}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3B43FD7-67F3-45FF-B8D3-7104B4C2EEF1}: NameServer = 69.50.184.84,195.225.176.37
O17 - HKLM\System\CS1\Services\Tcpip\..\{01A1B166-0D6E-44F7-BE75-D0E39C154969}: NameServer = 69.50.184.84,195.225.176.37
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

FILES

C:\WINDOWS\System32\hwclock.exe
C:\WINDOWS\System32\udsqc.dll
C:\WINDOWS\System32\kidzo.dll
C:\WINDOWS\System32\cmd32.exe internat.dll
msconfg.exe
c:\documents and settings\amr\local settings\temp\fsg_4203.exe

FOLDERS (with all their content)

C:\Program Files\Common Files\GMT
C:\Program Files\Common Files\CMEII

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP