Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help asdjkhas! [RESOLVED]

Started by Jeeta , Jul 10 2005 08:41 PM

  • This topic is locked This topic is locked

#1
Jeeta
Posted 10 July 2005 - 08:41 PM

Jeeta

    Member

  • Member
  • PipPip
  • 27 posts
Hey everyone , i think i have a serious problem wit my computer and i dont know how to fix, so if anyone know heres my log that i scaned ;


Logfile of HijackThis v1.99.1
Scan saved at 10:22:49 PM, on 7/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\Micr0s0ft.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\system32\d3gr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\bpk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ltfil11n.exe
C:\WINDOWS\System32\ds16gt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\crypt32.exe
C:\WINDOWS\System32\autodisc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\DOCUME~1\AMARJI~1\LOCALS~1\Temp\XbEf8t.exe
C:\WINDOWS\System32\ipconfig.exe
C:\WINDOWS\addcn32.exe
C:\WINDOWS\wrtpal.exe
C:\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [saap] c:\program files\180search\saap.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Update] Micr0s0ft.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [d3lw.exe] C:\WINDOWS\system32\d3lw.exe
O4 - HKLM\..\Run: [d3gr32.exe] C:\WINDOWS\system32\d3gr32.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [bpk] C:\WINDOWS\System32\bpk.exe
O4 - HKLM\..\Run: [bcDbE] C:\WINDOWS\wjrusuge.exe
O4 - HKLM\..\Run: [azqbmh] C:\WINDOWS\azqbmh.exe
O4 - HKLM\..\Run: [addtm32.exe] C:\WINDOWS\system32\addtm32.exe
O4 - HKLM\..\Run: [43sO33U] acthost.exe
O4 - HKLM\..\Run: [hTmErcpll] C:\WINDOWS\wrtpal.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Micr0s0ft.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [shimeng] C:\WINDOWS\System32\shimeng.exe
O4 - HKCU\..\Run: [qmgr] C:\WINDOWS\System32\qmgr.exe
O4 - HKCU\..\Run: [olecnv32] C:\WINDOWS\System32\olecnv32.exe
O4 - HKCU\..\Run: [oleaut32] C:\WINDOWS\System32\oleaut32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ltimg11n] C:\WINDOWS\System32\ltimg11n.exe
O4 - HKCU\..\Run: [ltfil11n] C:\WINDOWS\System32\ltfil11n.exe
O4 - HKCU\..\Run: [lfeps11n] C:\WINDOWS\System32\lfeps11n.exe
O4 - HKCU\..\Run: [L03ERTYtQ] zipblb.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - HKCU\..\Run: [ds16gt] C:\WINDOWS\System32\ds16gt.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [crypt32] C:\WINDOWS\System32\crypt32.exe
O4 - HKCU\..\Run: [autodisc] C:\WINDOWS\System32\autodisc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Update] Micr0s0ft.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6F64B1-C984-4B27-ADE6-FE1A7C1BE98A}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{6792DEEA-7099-4C75-B9CA-063C9E291CB4}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA3CCD6-8D2F-41CA-AF91-1D815E9F9A1F}: NameServer = 69.50.188.180,85.255.112.5
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\addcn32.exe
  • 0

Advertisements

#2
Jeeta
Posted 10 July 2005 - 08:43 PM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
ohh yea i also get that backgound Ad thingy it say "Warning You're in danger......"
  • 0

#3
Trevuren
Posted 10 July 2005 - 08:53 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi jeeta and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. *We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME

*Click HEREfor the update.

*Apply the update, reboot, and post a fresh Hijack This log.

Regards,

Trevuren
  • 0

#4
Jeeta
Posted 10 July 2005 - 09:01 PM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
hey Trevuren, thank for the relpy. Im installing the update now and as soon as it finshed i will post a new log
  • 0

#5
Jeeta
Posted 10 July 2005 - 09:25 PM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Alright here we go:

Logfile of HijackThis v1.99.1
Scan saved at 11:24:19 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\addcn32.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
c:\windows\system32\ncjgcq.exe
C:\WINDOWS\System32\Micr0s0ft.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\system32\d3gr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\System32\bpk.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\shimeng.exe
C:\WINDOWS\System32\qmgr.exe
C:\WINDOWS\System32\olecnv32.exe
C:\WINDOWS\System32\oleaut32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ltimg11n.exe
C:\WINDOWS\System32\ltfil11n.exe
C:\WINDOWS\System32\lfeps11n.exe
C:\WINDOWS\System32\ds16gt.exe
C:\WINDOWS\System32\crypt32.exe
C:\WINDOWS\System32\autodisc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://new-search.ne...?v=6&aff=845979
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ufgwm.dll
O2 - BHO: Class - {41DD4452-2D56-E935-6EE4-63B88255DB25} - C:\WINDOWS\syslx32.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ufgwm.dll
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [saap] c:\program files\180search\saap.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Update] Micr0s0ft.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [hTmErcpll] C:\WINDOWS\wrtpal.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [d3lw.exe] C:\WINDOWS\system32\d3lw.exe
O4 - HKLM\..\Run: [d3gr32.exe] C:\WINDOWS\system32\d3gr32.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [bpk] C:\WINDOWS\System32\bpk.exe
O4 - HKLM\..\Run: [bcDbE] C:\WINDOWS\wjrusuge.exe
O4 - HKLM\..\Run: [azqbmh] C:\WINDOWS\azqbmh.exe
O4 - HKLM\..\Run: [addtm32.exe] C:\WINDOWS\system32\addtm32.exe
O4 - HKLM\..\Run: [43sO33U] acthost.exe
O4 - HKLM\..\Run: [xnkoxp] c:\windows\system32\ncjgcq.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [panel_its] sbin.exe
O4 - HKLM\..\Run: [Trayz] forces_elite.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Micr0s0ft.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [shimeng] C:\WINDOWS\System32\shimeng.exe
O4 - HKCU\..\Run: [qmgr] C:\WINDOWS\System32\qmgr.exe
O4 - HKCU\..\Run: [olecnv32] C:\WINDOWS\System32\olecnv32.exe
O4 - HKCU\..\Run: [oleaut32] C:\WINDOWS\System32\oleaut32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ltimg11n] C:\WINDOWS\System32\ltimg11n.exe
O4 - HKCU\..\Run: [ltfil11n] C:\WINDOWS\System32\ltfil11n.exe
O4 - HKCU\..\Run: [lfeps11n] C:\WINDOWS\System32\lfeps11n.exe
O4 - HKCU\..\Run: [L03ERTYtQ] zipblb.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - HKCU\..\Run: [ds16gt] C:\WINDOWS\System32\ds16gt.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [crypt32] C:\WINDOWS\System32\crypt32.exe
O4 - HKCU\..\Run: [autodisc] C:\WINDOWS\System32\autodisc.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Microsoft Update] Micr0s0ft.exe
O4 - HKCU\..\Run: [Testimonials] NopeZ.exe
O4 - HKCU\..\Run: [AliceSD] Testimonials.exe
O4 - HKCU\..\Run: [Bogobot] Bogobot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6F64B1-C984-4B27-ADE6-FE1A7C1BE98A}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{6792DEEA-7099-4C75-B9CA-063C9E291CB4}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA3CCD6-8D2F-41CA-AF91-1D815E9F9A1F}: NameServer = 69.50.188.180,85.255.112.5
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\addcn32.exe
  • 0

#6
Trevuren
Posted 10 July 2005 - 09:52 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please download and install these programs - DON'T RUN THEM YET!!
  • Please download and unzip About:Buster to a folder on your Desktop. Inside the folder is a readme file that has instructions on the use of the program.
    • AboutBuster MUST be updated before you use it.
    • Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
  • Please download and install AD-Aware.
    Check Here on how setup and use it - please make sure you update it first.

  • Download HSfix from HERE and unzip it to your desktop.


  • Download CW-Shredder at the link below:
    http://cwshredder.ne...CWSshtreder.exe

  • Open Windows Explorer & Go to Tools > Folder Options.
    • Click on the View tab and make sure that "Show hidden files and folders" is checked.
    • Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" .
    • Now click "Apply to all folders"
    • Click "Apply" then "OK"
  • For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that.
    Do this so you can see hidden files and folders - click HERE to download XPhidden.zip by David Higham. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.
+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:


1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Service: Network Security Service (%AF夶À¨)
2. When you find it,
  • double-click on it.
  • In the next window that opens, click the Stop
    button
  • Then click on properties and under the General Tab
  • Change the Startup Type to Disabled.
  • Now hit Apply and then Ok and close any open windows.
If you don´t find this service listed go ahead with the next steps.

3. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

4. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\System32\Micr0s0ft.exe
C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\system32\d3gr32.exe
C:\WINDOWS\System32\ltfil11n.exe
C:\WINDOWS\System32\ds16gt.exe
C:\WINDOWS\System32\crypt32.exe
C:\WINDOWS\System32\autodisc.exe
C:\DOCUME~1\AMARJI~1\LOCALS~1\Temp\XbEf8t.exe
C:\WINDOWS\System32\ipconfig.exe
C:\WINDOWS\addcn32.exe
C:\WINDOWS\wrtpal.exe

If you find the files, highlight them, and then click End Process => Exit the Task Manager.


5. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocsv.dll/API32.htm#ID=347;065D
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [saap] c:\program files\180search\saap.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\System32\pacis.exe
O4 - HKLM\..\Run: [Microsoft Update] Micr0s0ft.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [d3lw.exe] C:\WINDOWS\system32\d3lw.exe
O4 - HKLM\..\Run: [d3gr32.exe] C:\WINDOWS\system32\d3gr32.exe
O4 - HKLM\..\Run: [bcDbE] C:\WINDOWS\wjrusuge.exe
O4 - HKLM\..\Run: [azqbmh] C:\WINDOWS\azqbmh.exe
O4 - HKLM\..\Run: [addtm32.exe] C:\WINDOWS\system32\addtm32.exe
O4 - HKLM\..\Run: [43sO33U] acthost.exe
O4 - HKLM\..\Run: [hTmErcpll] C:\WINDOWS\wrtpal.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Micr0s0ft.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [SYSfit] C:\WINDOWS\SYSfit.exe
O4 - HKCU\..\Run: [shimeng] C:\WINDOWS\System32\shimeng.exe
O4 - HKCU\..\Run: [qmgr] C:\WINDOWS\System32\qmgr.exe
O4 - HKCU\..\Run: [olecnv32] C:\WINDOWS\System32\olecnv32.exe
O4 - HKCU\..\Run: [oleaut32] C:\WINDOWS\System32\oleaut32.exe
O4 - HKCU\..\Run: [ltimg11n] C:\WINDOWS\System32\ltimg11n.exe
O4 - HKCU\..\Run: [ltfil11n] C:\WINDOWS\System32\ltfil11n.exe
O4 - HKCU\..\Run: [lfeps11n] C:\WINDOWS\System32\lfeps11n.exe
O4 - HKCU\..\Run: [L03ERTYtQ] zipblb.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - HKCU\..\Run: [ds16gt] C:\WINDOWS\System32\ds16gt.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [crypt32] C:\WINDOWS\System32\crypt32.exe
O4 - HKCU\..\Run: [autodisc] C:\WINDOWS\System32\autodisc.exe
O4 - HKCU\..\Run: [Microsoft Update] Micr0s0ft.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E6F64B1-C984-4B27-ADE6-FE1A7C1BE98A}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{6792DEEA-7099-4C75-B9CA-063C9E291CB4}: NameServer = 69.50.188.180,85.255.112.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABA3CCD6-8D2F-41CA-AF91-1D815E9F9A1F}: NameServer = 69.50.188.180,85.255.112.5
O23 - Service: Network Security Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\addcn32.exe

6. Delete the following files/folders (with all their content) if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\System32\Micr0s0ft.exe
C:\WINDOWS\system32\svcnt.exe
C:\WINDOWS\system32\d3gr32.exe
C:\WINDOWS\System32\ltfil11n.exe
C:\WINDOWS\System32\ds16gt.exe
C:\WINDOWS\System32\crypt32.exe
C:\WINDOWS\System32\autodisc.exe
C:\DOCUME~1\AMARJI~1\LOCALS~1\Temp\XbEf8t.exe
C:\WINDOWS\System32\ipconfig.exe
C:\WINDOWS\addcn32.exe
C:\WINDOWS\wrtpal.exe
C:\WINDOWS\system32\shdocsv.dll
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Windows TaskAd<====Folder
C:\Program Files\Viewpoint<===Folder
C:\PROGRAM FILES\COMMON FILES\tsa<===Folder
C:\WINDOWS\System32\systime.exe
C:\Program Files\Spyware Stormer<===Folder
c:\program files\180solutions<---Folder
C:\WINDOWS\System32\pacis.exe
C:\Program Files\Media Access<===Folder
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\system32\d3lw.exe
C:\WINDOWS\wjrusuge.exe
C:\WINDOWS\azqbmh.exe
C:\WINDOWS\system32\addtm32.exe
acthost.exe<=====You will have to search for this one.
C:\WINDOWS\SYSfit.exe
C:\WINDOWS\System32\shimeng.exe
C:\WINDOWS\System32\qmgr.exe
C:\WINDOWS\System32\olecnv32.exe
C:\WINDOWS\System32\oleaut32.exe
C:\WINDOWS\System32\ltimg11n.exe
C:\WINDOWS\System32\lfeps11n.exe
zipblb.exe<=====You will have to search for this one.
C:\WINDOWS\System32\hookdump.exe
C:\Program Files\DR_S<===Folder

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

7. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with AdAware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin


10. Double click on the cwsserviceremove and when asked to merge say yes.

11. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

12. Reboot into normal mode.

13. Download the Hoster from here http://members.aol.c...bee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

14. Download and run this online virus scan:
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

15. Reboot and post a fresh Hijack This log for review.

Regards,

Trevuren
  • 0

#7
Jeeta
Posted 10 July 2005 - 10:10 PM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Ok i got a question, you told me to

"1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Service: Network Security Service (%AF夶À¨) "

and i did that but i cant find Network Security Service


OOOP im so dumb sry about that LOL...i didnt read the next line

Edited by Jeeta, 10 July 2005 - 10:13 PM.

  • 0

#8
Jeeta
Posted 11 July 2005 - 09:35 AM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
WOW that was a lot of work, ok first i couldnt find some of these files or delete some here they are :

C:\WINDOWS\System32\crypt32.exe<<< couldnt delete
C:\DOCUME~1\AMARJI~1\LOCALS~1\Temp\XbEf8t.exe
C:\WINDOWS\wrtpal.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Windows TaskAd<====Folder
C:\WINDOWS\System32\systime.exe
c:\program files\180solutions<---Folder
C:\WINDOWS\System32\pacis.exe
C:\Program Files\Media Access<===Folder
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\system32\d3lw.exe
C:\WINDOWS\wjrusuge.exe
C:\WINDOWS\azqbmh.exe
C:\WINDOWS\system32\addtm32.exe
acthost.exe<=====You will have to search for this one.
C:\WINDOWS\SYSfit.exe
olecnv32.dll<< couldnt delete
oleaut32.dll<< couldnt delete
C:\WINDOWS\System32\ltimg11n.exe
C:\WINDOWS\System32\hookdump.exe
zipblb.exe<=====You will have to search for this one.
C:\Program Files\DR_S<===Folder

Second is what was cwsserviceremove, did u tell me to download that?

Thrid you told me Download the Hoster from here http://members.aol.c...dbee/hoster.zip But the site didnt work... lol

And Lastly you told me to scan my computer here http://housecall.tre.../start_corp.asp But i get this error msg that say "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

I tryed my best to do everything u said in order but still nothiing still seems right now my backgound is white and it keeps flashing . Also i have to programs in my task manger that i cant get rid of. One of them change name everytime i end prcess(ex. ishdjd.exe, cjhdu.exe.....) it and the other is crbm.exe

hopfully i will get this all Thx

-jeeta
  • 0

#9
Jeeta
Posted 11 July 2005 - 09:38 AM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
oh heres is my log for now:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:42 AM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\crbm.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\windows\system32\fvfwcd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\mfcrh32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\svcproc.exe
C:\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fadim.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fadim.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fadim.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fadim.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fadim.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fadim.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fadim.dll/sp.html#12345
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Class - {A25ADC40-47E5-9411-31BF-C1A2EDCDED8D} - C:\WINDOWS\system32\iphx32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [panel_its] sbin.exe
O4 - HKLM\..\Run: [Trayz] forces_elite.exe
O4 - HKLM\..\Run: [mfcrh32.exe] C:\WINDOWS\mfcrh32.exe
O4 - HKLM\..\Run: [nwzgts] c:\windows\system32\fvfwcd.exe r
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Testimonials] NopeZ.exe
O4 - HKCU\..\Run: [AliceSD] Testimonials.exe
O4 - HKCU\..\Run: [Bogobot] Bogobot.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crbm.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

and this is from AboutBuster:

AboutBuster 5.0 reference file 30
Scan started on [7/11/2005] at [1:07:49 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\AWSHKWV.INI:odujut
Removed Stream! C:\WINDOWS\bootstat.dat:genpoe
Removed Stream! C:\WINDOWS\ntdtcsetup.log:cqesgv
Removed Stream! C:\WINDOWS\ocgen.log:mqwxiy
Removed Stream! C:\WINDOWS\ocmsn.log:ppxvbc
Removed Stream! C:\WINDOWS\River Sumida.bmp:lzhvk
Removed Stream! C:\WINDOWS\setupact.log:wtwmom
Removed Stream! C:\WINDOWS\_default.pif:cpkgwl
Removed Stream! C:\WINDOWS\_default.pif:uiumzv
------------------------------------------------
Removed File! : C:\Windows\fadim.dll
Removed File! : C:\Windows\xvavp.dll
Removed File! : C:\Windows\zaynx.dat
Removed File! : C:\Windows\System32\bjbwk.dll
Removed File! : C:\Windows\System32\kvkao.dll
Removed File! : C:\Windows\System32\mfhyo.dat
Removed File! : C:\Windows\System32\rhatd.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:08:53 AM
  • 0

#10
Trevuren
Posted 11 July 2005 - 03:27 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please download and install these programs - DON'T RUN THEM YET!!
  • Please download and unzip About:Buster to a folder on your Desktop. Inside the folder is a readme file that has instructions on the use of the program.
    • AboutBuster MUST be updated before you use it.
    • Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.
  • Please download and install AD-Aware.
    Check Here on how setup and use it - please make sure you update it first.

  • Download HSfix from HERE and unzip it to your desktop.


  • Download CW-Shredder at the link below:
    http://cwshredder.ne...CWSshtreder.exe

  • Open Windows Explorer & Go to Tools > Folder Options.
    • Click on the View tab and make sure that "Show hidden files and folders" is checked.
    • Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" .
    • Now click "Apply to all folders"
    • Click "Apply" then "OK"
  • For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that.
    Do this so you can see hidden files and folders - click HERE to download XPhidden.zip by David Higham. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.
+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:


1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok. Click on the Extended Tab.

Scroll down and find the service called:

Network Security Service

2. When you find it,
  • double-click on it.
  • In the next window that opens, click the Stop
    button
  • Then click on properties and under the General Tab
  • Change the Startup Type to Disabled.
  • Now hit Apply and then Ok and close any open windows.
If you don´t find this service listed go ahead with the next steps.

3. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

4. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

C:\WINDOWS\system32\crbm.exe
c:\windows\system32\fvfwcd.exe
C:\WINDOWS\mfcrh32.exe
C:\WINDOWS\svcproc.exe

If you find the files, highlight them, and then click End Process => Exit the Task Manager.


5. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fadim.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fadim.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fadim.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fadim.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fadim.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fadim.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fadim.dll/sp.html#12345
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Class - {A25ADC40-47E5-9411-31BF-C1A2EDCDED8D} - C:\WINDOWS\system32\iphx32.dll
O4 - HKLM\..\Run: [panel_its] sbin.exe
O4 - HKLM\..\Run: [Trayz] forces_elite.exe
O4 - HKLM\..\Run: [mfcrh32.exe] C:\WINDOWS\mfcrh32.exe
O4 - HKLM\..\Run: [nwzgts] c:\windows\system32\fvfwcd.exe r
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [Testimonials] NopeZ.exe
O4 - HKCU\..\Run: [AliceSD] Testimonials.exe
O4 - HKCU\..\Run: [Bogobot] Bogobot.exe
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (HKCU)
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\crbm.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


6. Delete the following files if present:

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

C:\WINDOWS\system32\crbm.exe
c:\windows\system32\fvfwcd.exe
C:\WINDOWS\mfcrh32.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\fadim.dll
C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\iphx32.dll
C:\Program Files\WareOut<===Folder
sbin.exe<===You will have to search for the rest
forces_elite.exe
NopeZ.exe
Testimonials.exe
Bogobot.exe


(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

7. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with AdAware and let it remove any bad files found.

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin


10. Double click on the HSfix and when asked to merge say yes.

11. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

12. Reboot into normal mode.

13. Download the Hoster from:HERE. Press "Restore Original Hosts" and press "OK". Exit Program.

14. Download and run this online virus scan:The site is often slow to appear)
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"

If it says that you need to download an Active X element from their site, please do so. It is safe

15. Reboot and post a fresh Hijack This log for review.

Regards,

Trevuren

Edited by Trevuren, 11 July 2005 - 04:41 PM.

  • 0

Advertisements

#11
Jeeta
Posted 11 July 2005 - 04:08 PM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
YES question where IS " cwsserviceremove"
  • 0

#12
Trevuren
Posted 11 July 2005 - 04:45 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
I have just edited the post to reflect the new name to the old fix.

If you still can't get Panda to work, download a free 30-day trial of Kaspersky Antivirus, HERE

. Install the program
. Run the definition update module.
. Scan your whole system and let the program remove anything it wants.
. When finished, REBOOT your system
. Post a fresh HJT log.

Regards,

Trevuren
  • 0

#13
Jeeta
Posted 12 July 2005 - 08:49 AM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Yes, somethings are looking better, but i still dont have my backgound yet. I've everything you said and here the new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:44 PM, on 7/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\hijackthis\hijackthis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0

#14
Trevuren
Posted 12 July 2005 - 10:10 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notifiction

2. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following item:

O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe

Now with the item selected, and all windows closed except for HJT, delete it by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following folder and DELETE it and all its content(if if it is still present:

C:\Program Files\ProSiteFinder

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.


3. Try this for your background:

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Please advise as to how system is running as well as condition of desktop.

Regards,

Trevuren
  • 0

#15
Jeeta
Posted 12 July 2005 - 11:40 AM

Jeeta

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
saldjhsa!!! i think it work, i got my background back. Also the computer not slow or freezin up anymore THX THX THX THX ALOT here the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:38:02 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Winamp\Winamp.exe
C:\hijackthis\hijackthis\HijackThis.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra 'Tools' menuitem: LokiTorrent Toolbar - Search your seed! - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


computer running now

-[tblm]Jeeta!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP