Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ad-aware will not finish


  • Please log in to reply

#1
awana4me

awana4me

    New Member

  • Member
  • Pip
  • 1 posts
enclosed is my hijack. Logfile of HijackThis v1.98.2
Scan saved at 10:54:13 AM, on 9/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Toshiba\ivp\ISM\pinger.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\Odktq.exe
C:\WINDOWS\System32\Odktq.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Melvina\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://login.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [Pinger] C:\Toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [U7fq] C:\documents and settings\dale piper\local settings\temp\U7fq.exe
O4 - HKLM\..\Run: [Ed37fdY] C:\documents and settings\dale piper\local settings\temp\Ed37fdY.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\XdlD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Cy9Jp] C:\documents and settings\dale piper\local settings\temp\Cy9Jp.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update Configuration] WIN32SNC.exe
O4 - HKCU\..\Run: [SMS Server] smsserv.exe
O4 - HKCU\..\Run: [Microsoft IT Update] win43.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5....m/c381/chat.cab
O16 - DPF: Yahoo! Trivia - http://download.game...ts/y/tvt0_x.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...0/pool/pool.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C99EF7-9DE9-4E9E-BAF7-C8AAEA4826B4}: NameServer = 209.43.20.115 206.246.180.200
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

I hope you can help. I have tried everything I know to do. I have run spybot and even went in and changed the settings on ad-aware to just scan certain areas. It still said "busy" I let it stand for at least an half hour hopping that it would start back up. No luck. I did get rid of a bunch of spyware and a trojan that was sending me to a certain page each time I boot.

THANKS FOR THE HELP
<_<
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You have malware we need to fix, but first you need to apply Windows Critical updates. Without critical updates, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://windowsupdate.microsoft.com/
-or-
Order if you're on dial-up, order a free CD here:
http://www.microsoft...default810.mspx

Please download everything except SP2. Microsoft has indicated that malware must be cleaned up before downloading SP2.

After you download the updates, post a loag and we'll be glad to help you out. <_<
  • 0

#3
char12

char12

    Member

  • Member
  • PipPip
  • 43 posts
Enclosed is a new hijack. I have downloaded all of the microsoft downloads except pk2.
Logfile of HijackThis v1.98.2
Scan saved at 8:05:56 PM, on 9/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Toshiba\ivp\ISM\pinger.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\Odktq.exe
C:\WINDOWS\System32\Uit9952.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\Documents and Settings\Dale Piper\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50171
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://klove.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [Pinger] C:\Toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [U7fq] C:\documents and settings\dale piper\local settings\temp\U7fq.exe
O4 - HKLM\..\Run: [Ed37fdY] C:\documents and settings\dale piper\local settings\temp\Ed37fdY.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\HuoTdA.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Cy9Jp] C:\documents and settings\dale piper\local settings\temp\Cy9Jp.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\Run: [Microsoft Update Configuration] WIN32SNC.exe
O4 - HKCU\..\Run: [SMS Server] smsserv.exe
O4 - HKCU\..\Run: [Microsoft IT Update] win43.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5....m/c381/chat.cab
O16 - DPF: Yahoo! Trivia - http://download.game...ts/y/tvt0_x.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...0/pool/pool.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096468082849
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C99EF7-9DE9-4E9E-BAF7-C8AAEA4826B4}: NameServer = 209.43.20.115 206.246.180.200
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

Thanks for the help.
Char <_<
  • 0

#4
char12

char12

    Member

  • Member
  • PipPip
  • 43 posts
jusst wanted to let you know that char12 and awana4me are the same person. I was having trouble and made a new account. Admin is working on getting me back onto my old account char12.

Again thanks for the help!!!!!!!!!!!!!!!!!!!!!
  • 0

#5
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Correct me if I'm wrong, but It doesn't show that you have service pack 1. Without at least service pack 1 and all updates we cannot give you any effective help, because you will be infected again almost immediately. To check to see if you have service pack 1 go to control panel, click performance and maintenance, system, and on the General Tab it should say something like this

System:

Microsoft Windows XP
Professional or Home
Version 2002 (or whatever version you have)
Service Pack 1

Until it says Service Pack 1 we can't give you the proper help that you need.

-=jonnyrotten=- <_<
  • 0

#6
char12

char12

    Member

  • Member
  • PipPip
  • 43 posts
Johnny,
Thanks for pointing out that I didn't have the xp pack 1 thought I had download. I know downloaded a bunch of stuff that day.

Here is my new hijack
Logfile of HijackThis v1.98.2
Scan saved at 2:54:44 PM, on 9/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Toshiba\ivp\ISM\pinger.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\PROGRA~1\EzButton\CPATR10.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\CePMTray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\Uit9952.exe
C:\WINDOWS\System32\Odktq.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dale Piper\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50171
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://klove.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [Pinger] C:\Toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [CeEKey.exe] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CPATR10] C:\PROGRA~1\EzButton\CPATR10.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ABBYY Community Agent] C:\Program Files\ABBYY FineReader 5.0 Sprint\CAgent.exe
O4 - HKLM\..\Run: [U7fq] C:\documents and settings\dale piper\local settings\temp\U7fq.exe
O4 - HKLM\..\Run: [Ed37fdY] C:\documents and settings\dale piper\local settings\temp\Ed37fdY.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\XdlD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Cy9Jp] C:\documents and settings\dale piper\local settings\temp\Cy9Jp.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\Run: [Microsoft Update Configuration] WIN32SNC.exe
O4 - HKCU\..\Run: [SMS Server] smsserv.exe
O4 - HKCU\..\Run: [Microsoft IT Update] win43.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5....m/c381/chat.cab
O16 - DPF: Yahoo! Trivia - http://download.game...ts/y/tvt0_x.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...0/pool/pool.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1096468082849
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C99EF7-9DE9-4E9E-BAF7-C8AAEA4826B4}: NameServer = 209.43.20.115 206.246.180.200
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

I think I see what I need to take off, but want tp make sure I am right. As you can see I am joining the fight against spyware <_<
  • 0

#7
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hey Char12. Thanks for taking care of the updates.

I want you to do three things before we start cleaning this up. And we will get it done. <_<

Uninstall WebSearch Toolbar from "Add/Remove Programs" in the Windows® Control Panel.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/


Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin


See if you can run adaware.

Reboot and post a fresh log.

Edited by coachwife6, 30 September 2004 - 07:55 PM.

  • 0

#8
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
First use AdAware and Spybot S&D.

Copy Hijack This to a permanent folder. Scan, and place a check in the boxes next to the following lines.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...aspx?tb_id=5017
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [U7fq] C:\documents and settings\dale piper\local settings\temp\U7fq.exe
O4 - HKLM\..\Run: [Ed37fdY] C:\documents and settings\dale piper\local settings\temp\Ed37fdY.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\XdlD.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Cy9Jp] C:\documents and settings\dale piper\local settings\temp\Cy9Jp.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Restore] scrgrd.exe
O4 - HKCU\..\Run: [Microsoft AUT Update] MSlti32.exe
O4 - HKCU\..\Run: [Microsoft Update Configuration] WIN32SNC.exe
O4 - HKCU\..\Run: [SMS Server] smsserv.exe
O4 - HKCU\..\Run: [Microsoft IT Update] win43.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.reds...rsinstaller.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{39C99EF7-9DE9-4E9E-BAF7-C8AAEA4826B4}: NameServer = 209.43.20.115 206.246.180.200

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

Reboot in safe mode, and make sure you can view hidden files and delete the following files found in bold.

C:\WINDOWS\System32\PackethSvc.exe Not sure about this one I'd check with Admin first before deleting it.

C:\Program Files\Common Files\WinTools
C:\PROGRA~1\Toolbar
C:\PROGRA~1\Web Offer
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\Uit9952.exe
C:\WINDOWS\System32\Odktq.exe
C:\documents and settings\dale piper\local settings\temp\U7fq.exe
C:\documents and settings\dale piper\local settings\temp\Ed37fdY.exe
C:\WINDOWS\System32\XdlD.exe
C:\documents and settings\dale piper\local settings\temp\Cy9Jp.exe
C:\Program Files\Common Files\WinTools
wuam.exe search for this one
scrgrd.exe and this one
win43.exe and this one
C:\PROGRA~1\Web Offer
C:\WINDOWS\System32\ms.exe Not sure about this one

Sometimes I like to delete these files first in safe mode and then remove the entries with Hijack This. Or just do it in normal order and when you are done, do it all again.

Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

I also saw a bunch of Yahoo stuff in there that wouldn't hurt to remove, but that's up to you. I'd ask admin with any questions about those iffy files. After this you should be pretty close to "Clean".
<_<
Welcome aboard, you have questions just ask. :D :P

-=jonnyrotten=- :D
  • 0

#9
char12

char12

    Member

  • Member
  • PipPip
  • 43 posts
well I did what you asked and am now getting an error <windows root>\system32\hal.dil. is missing or corrupt. Found 10 trojans and may forms of adware and spyware before this happened. Is there a way to get this file back. I can't even get it into safe mode to do my norton go back. :D :D :P
char12 <_<
  • 0

#10
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts

<windows root>\system32\hal.dil

Did you mean hal.dll?

Maybe it got deleted in one of the scans. If hal.dll is the file that you mean is missing, I have good news. Go here
http://www.dll-files...files.shtml?hal you can download it, extract it from the .zip file and put it back in the correct directory.

-=jonnyrotten=- <_<
  • 0

#11
char12

char12

    Member

  • Member
  • PipPip
  • 43 posts
johnny,
I was unable to unzip the file after I got it. Any ideas. I downloaded winzip 9.0. It says that it is unzipped, but when I try and open it wants to go to the source.
char12
  • 0

#12
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
I suggest downloading the zip file to the desktop, and double clicking it. Winzip should open, the click extract. Extract it to the desktop for easier access. Next open the folder %systemroot%\system32 and then drag hal.dll from the desktop into the system32 window and drop it there.

-=jonnyrotten=-
  • 0

#13
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You might be able to replace/fix the file by clicking start, run and type sfc.exe /scannow Make sure your windows installation disk is in the drive and let the scan work it's magic.

-=jonnyrotten=- <_<
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP