Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus http://a-search.biz/?wmd=1010 [merged]

Started by Chase , Sep 28 2004 10:02 PM

  • Please log in to reply

#1
Chase
Posted 28 September 2004 - 10:02 PM

Chase

    New Member

  • Member
  • Pip
  • 7 posts
Any assistance in helping me rid my pc of this annoying thing would be greatly appreciated.

Cheers
PC <_<

Logfile of HijackThis v1.97.7
Scan saved at 1:53:27 PM, on 9/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cqginsts.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lquay.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A1E4-EA6FA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrscuz3.dll (file missing)
O3 - Toolbar: ninemsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Omega Research Task Scheduler.lnk = C:\Program Files\Omega Research\Program\orschd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Omega Research Task Scheduler.lnk = C:\Program Files\Omega Research\Program\orschd.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: iress.com.au
O15 - Trusted Zone: web.iress.com.au
O16 - DPF: webiress - http://web.iress.com...ess-0_8_3_4.cab
O16 - DPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} (Pco3 Window (Commsec) Control) - http://images.commse...o3X_Commsec.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8123.5483680556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97706EED-DE0B-4181-987A-1F59727905EC}: NameServer = 61.8.0.113 210.23.129.34
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 28 September 2004 - 10:18 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - (no file)

O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A1E4-EA6FA787AD2D} -

O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A1E4-EA6FA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrscuz3.dll (file missing)

O17 -
HKLM\System\CCS\Services\Tcpip\..\{97706EED-DE0B-4181-987A-1F59727905EC}: NameServer = 61.8.0.113 210.23.129.34
I think this might be your culprit.

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\PROGRA~1\POWERS~1\Toolbar\pwrscuz3.dll (file missing) Delete the whole toolbar folder.

Reboot normally. Please do not connect to the internet at all during any of these processes. Next step is going to be the important one for you. You need to reset your host file because it was hijacked.

Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

Rescan with Hijack this and post new log. You should be clean.

-=jonnyrotten=- <_<

I just noticed that the Host File link doesn't work, I will find out the problem and post new link.
  • 0

#3
Chase
Posted 03 October 2004 - 08:39 PM

Chase

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
G`Day Mate,

Appologies for not getting back to you. You helped me with my log, and I read that you were looking for something else and would get back. I followed your instructions but could not find the hidden file that you mentioned. Mate any help in ridding my machine of this pesty virus would be greatly appreciated. I will post my log again.

Cheers
PC


Logfile of HijackThis v1.97.7
Scan saved at 12:39:00 PM, on 10/4/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cqginsts.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lquay.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Omega Research Task Scheduler.lnk = C:\Program Files\Omega Research\Program\orschd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Omega Research Task Scheduler.lnk = C:\Program Files\Omega Research\Program\orschd.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: iress.com.au
O15 - Trusted Zone: web.iress.com.au
O16 - DPF: webiress - http://web.iress.com...ess-0_8_3_4.cab
O16 - DPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} (Pco3 Window (Commsec) Control) - http://images.commse...o3X_Commsec.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8123.5483680556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97706EED-DE0B-4181-987A-1F59727905EC}: NameServer = 61.8.0.113 210.23.129.34
  • 0

#4
admin
Posted 03 October 2004 - 09:07 PM

admin

    Founder Geek

  • Administrator
  • 24,535 posts
Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Reboot your PC, and let us know how your system's working. <_<
  • 0

#5
Chase
Posted 05 October 2004 - 10:45 PM

Chase

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Reboot your PC, and let us know how your system's working. <_<

View Post



Thankyou for your reply,

I followed your instructions with no joy. This virus is a persistant little cougar. If you have the patience to help me with this I will be truly grateful.

Cheers
Peter C
  • 0

#6
admin
Posted 05 October 2004 - 11:13 PM

admin

    Founder Geek

  • Administrator
  • 24,535 posts
1. Click on start, then run, and type services.msc and press the OK button. Look for Plug and Play svc service.

If this service exists proceed to the next step.

2. Download and install the program Registry Lite from here:

http://www.geekstogo...=download&id=29

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll

And press enter. You will now be presented with new information in the right and left sections of the program. In the right section you should see the ServiceDll value highlighted. Double-click on it and write down the name of the dll found there. This is the infection we need to remove.

3. Start Hijackthis and when it opens, click on Config then click on Misc Tools. Once at the new screen click on the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste the full path and name of the DLL found in the previous step into the file name field and press the open button.

When Hijackthis prompts you to reboot, please do so.

When the computer is back to your desktop confirm that the file from the previous step no longer exists.

If it is no longer there then do the following:

Delete the file c:\windows\system32\pnpsvc.inf

Then launch Notepad, and copy and paste the contents of the quote box below into a new text file.

Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC]

Now double-click on the fixme.reg file you just saved and click on the Yes button when it asks if you would like to merge the information.

Next start registrar lite again and enter into the address field each of these addresses:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC

At each location delete the highlighted LEGACY_PNPSVC. If you have trouble deleting one of these, right click on it, and click on the properties. Then click on the permissions button and make sure everyone or users has full control set. Then try to delete it again.

Do not delete any other entries at all.

When that is completed, Run HijackThis again and post a fresh log in this topic. We'll likely have a little more cleaning to do.
  • 0

#7
Chase
Posted 10 October 2004 - 03:08 AM

Chase

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for you help with this [edited for language] virus.

I am having a slight problem with hijackThis. I am running version v1.97.7 and I am in the Misc Tools window, however I cannot find the button "Delete a file on reboot". I have followed the instructions you have given me so far and I know the name of the dll wher the virus is. Can you please be patient and guide me through this.

Regards
PC

[this is a family forum, accessible by all--kindly watch your language]

Edited by admin, 11 October 2004 - 09:03 AM.

  • 0

#8
coachwife6
Posted 10 October 2004 - 10:05 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
We need the newest version of HJThis.
  • 0

#9
Chase
Posted 11 October 2004 - 11:06 PM

Chase

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

We need the newest version of HJThis.

View Post



G`Day Guys,

I have been trying to download a newer version of HijackThis 1.98.2,
however when I do download it I still get HijackThis v1.97.7. And on one download site I get a pop-up window saying "Your current settings do not allow this file to be downloaded". Do you know why I can`t download a newer version of HijackThis??

Regards
PC
  • 0

#10
-=jonnyrotten=-
Posted 11 October 2004 - 11:19 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Delete the old version first. Then download the new one. <_<

-=jonnyrotten=- :D
  • 0

#11
Chase
Posted 14 October 2004 - 02:35 AM

Chase

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

1. Click on start, then run, and type services.msc and press the OK button. Look for Plug and Play svc service.

If this service exists proceed to the next step.

2. Download and install the program Registry Lite from here:

http://www.geekstogo...=download&id=29

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pnpsvc\Parameters\\ServiceDll

And press enter. You will now be presented with new information in the right and left sections of the program. In the right section you should see the ServiceDll value highlighted. Double-click on it and write down the name of the dll found there. This is the infection we need to remove.

3. Start Hijackthis and when it opens, click on Config then click on Misc Tools. Once at the new screen click on the "Delete a file on reboot" button. You will be presented with a dialog asking you to pick a file. Copy and paste the full path and name of the DLL found in the previous step into the file name field and press the open button.

When Hijackthis prompts you to reboot, please do so.

When the computer is back to your desktop confirm that the file from the previous step no longer exists.

If it is no longer there then do the following:

Delete the file c:\windows\system32\pnpsvc.inf

Then launch Notepad, and copy and paste the contents of the quote box below into a new text file.

Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\EventLog\Application\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PNPSVC]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pnpsvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet002\Services\EventLog\Application\PNPSVC]

Now double-click on the fixme.reg file you just saved and click on the Yes button when it asks if you would like to merge the information.

Next start registrar lite again and enter into the address field each of these addresses:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PNPSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PNPSVC

At each location delete the highlighted LEGACY_PNPSVC. If you have trouble deleting one of these, right click on it, and click on the properties. Then click on the permissions button and make sure everyone or users has full control set. Then try to delete it again.

Do not delete any other entries at all.

When that is completed, Run HijackThis again and post a fresh log in this topic. We'll likely have a little more cleaning to do.

View Post




Cheers jonnyrotton,

I have managed to follow the instructions above and below is my new log as requested. Once again Thanks for your help you Guys are legends.

Regards
PC

Logfile of HijackThis v1.98.2
Scan saved at 6:34:13 PM, on 10/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cqginsts.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Omega Research\Program\orschd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lquay.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ninemsn Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Omega Research Task Scheduler.lnk = C:\Program Files\Omega Research\Program\orschd.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Omega Research Task Scheduler.lnk = C:\Program Files\Omega Research\Program\orschd.exe
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\AdShield\AdShield\maintain.htm
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\AdShield\AdShield\suppress.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\AdShield\AdShield\settings.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: iress.com.au
O15 - Trusted Zone: web.iress.com.au
O16 - DPF: webiress - http://web.iress.com...ess-0_8_3_4.cab
O16 - DPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} (Pco3 Window (Commsec) Control) - http://images.commse...o3X_Commsec.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{97706EED-DE0B-4181-987A-1F59727905EC}: NameServer = 61.8.0.113 210.23.129.34
  • 0

#12
admin
Posted 14 October 2004 - 09:02 AM

admin

    Founder Geek

  • Administrator
  • 24,535 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
(optional, but will improve system performance)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Congratulations! Your system is CLEAN <_<

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :D
  • 0

#13
Chase
Posted 15 October 2004 - 12:19 AM

Chase

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
(optional, but will improve system performance)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Congratulations! Your system is CLEAN <_<

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser
hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. :D

View Post





:D To The Staff & jonnyrotton,

You guys are absolute legends, my machine is working fine now and I have learnt a lot from you. I have recommended you Guys to everyone I know and will continue to do so. Have a Great rest of the year and Take it Easy.

Sincere Regards
PC :D :P :o
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP