Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

rapid blaster1-6/we like the girls 1-7 [CLOSED]

Started by char12 , Apr 14 2004 12:05 PM

  • This topic is locked This topic is locked

#1
char12
Posted 14 April 2004 - 12:05 PM

char12

    Member

  • Member
  • PipPip
  • 43 posts
I have spybot and ran it after not being able to use my internet browser. I am able to conect to some things on the internet, but others give me an error page.

Spybot said that everything was fine. I went ahead and did a search and found rapid blaster 1-6 and then rapidblaster we like girls. I deleted them and am still having trouble with conecting to some areas. Ebay I am able to see items, but if I want to look at one of the items it sends me to the error page.

I ran a Hijack for Logfile of Hijackyou

This v1.97.7
Scan saved at 12:51:24 PM, on 4/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Charlotte\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O1 - Hosts: 199.181.132.145 abc.go.com
O1 - Hosts: 66.163.172.88 admin.yahoo.com
O1 - Hosts: 165.254.12.131 adopt.hotbar.com
O1 - Hosts: 66.135.200.136 cgi.ebay.com
O1 - Hosts: 66.135.194.20 cgi1.ebay.com
O1 - Hosts: 66.135.210.30 cgi2.ebay.com
O1 - Hosts: 209.47.15.73 cnt.rapidblaster.com
O1 - Hosts: 206.16.0.219 download.com.com
O1 - Hosts: 216.109.126.26 e.my.yahoo.com
O1 - Hosts: 216.136.227.7 edit.yahoo.com
O1 - Hosts: 66.135.195.237 electronics.ebay.com
O1 - Hosts: 216.73.89.150 email.staples-deals.com
O1 - Hosts: 207.46.167.100 encarta.msn.com
O1 - Hosts: 207.68.170.124 groups.msn.com
O1 - Hosts: 207.218.164.60 home.neopets.com
O1 - Hosts: 216.237.188.22 images.emailhello.com
O1 - Hosts: 208.254.63.60 images.trafficmp.com
O1 - Hosts: 66.150.2.83 is1.websearch.com
O1 - Hosts: 64.12.46.235 lastsamurai.warnerbros.com
O1 - Hosts: 66.135.195.27 listings.ebay.com
O1 - Hosts: 65.54.231.240 login.passport.com
O1 - Hosts: 65.54.229.246 login.passport.net
O1 - Hosts: 66.218.75.184 login.yahoo.com
O1 - Hosts: 216.109.127.60 mail.yahoo.com
O1 - Hosts: 65.54.229.252 memberservices.passport.net
O1 - Hosts: 207.46.189.15 moneycentral.msn.com
O1 - Hosts: 207.46.150.21 msnbc.com
O1 - Hosts: 207.68.173.234 my.msn.com
O1 - Hosts: 216.109.126.22 my.yahoo.com
O1 - Hosts: 206.31.10.94 new1.mysurvey.com
O1 - Hosts: 66.135.200.137 offer.ebay.com
O1 - Hosts: 66.135.192.87 pages.ebay.com
O1 - Hosts: 165.254.12.202 premium-offers.com
O1 - Hosts: 66.135.195.245 promo.ebay.com
O1 - Hosts: 209.68.226.5 resources.lawinfo.com
O1 - Hosts: 66.135.210.135 search.ebay.com
O1 - Hosts: 66.135.194.165 search-desc.ebay.com
O1 - Hosts: 206.204.52.6 security.symantec.com
O1 - Hosts: 198.6.49.121 service1.symantec.com
O1 - Hosts: 66.135.210.112 signin.ebay.com
O1 - Hosts: 165.254.12.100 software4thenet.com
O1 - Hosts: 65.88.128.22 support.rnetinc.net
O1 - Hosts: 207.218.164.16 survey.neopets.com
O1 - Hosts: 216.109.127.246 us.rd.yahoo.com
O1 - Hosts: 209.68.226.14 wishtv.lawinfo.com
O1 - Hosts: 207.171.184.16 www.amazon.com
O1 - Hosts: 165.138.113.249 www.bcsc.k12.in.us
O1 - Hosts: 134.68.52.57 www.bursar.iupui.edu
O1 - Hosts: 24.173.79.235 www.bursar.org
O1 - Hosts: 66.77.107.150 www.buzme.com
O1 - Hosts: 63.146.175.46 www.campmor.com
O1 - Hosts: 63.240.56.20 www.cbs.com
O1 - Hosts: 206.246.138.42 www.centra.org
O1 - Hosts: 134.68.19.195 www.columbus.iupui.edu
O1 - Hosts: 63.240.215.65 www.discovery.com
O1 - Hosts: 65.214.48.1 www.divorcenet.com
O1 - Hosts: 66.213.200.130 www.easierrebate.com
O1 - Hosts: 66.135.192.88 www.ebay.com
O1 - Hosts: 139.171.64.10 www.elderly.com
O1 - Hosts: 63.127.205.130 www.familychristian.com
O1 - Hosts: 66.162.192.49 www.goodysonline.com
O1 - Hosts: 207.182.237.203 www.gozingsurveys.com
O1 - Hosts: 157.91.12.65 www.in.gov
O1 - Hosts: 198.64.149.203 www.indiana.com
O1 - Hosts: 209.125.194.211 www.ipsh.net
O1 - Hosts: 134.68.122.5 www.iupui.edu
O1 - Hosts: 192.232.125.61 www.kodak.com
O1 - Hosts: 64.60.155.251 www.melissadata.com
O1 - Hosts: 216.154.228.146 www.montelshow.com
O1 - Hosts: 134.68.52.127 www.mpc.adaf.iupui.edu
O1 - Hosts: 207.46.245.60 www.msnbc.com
O1 - Hosts: 198.247.208.102 www.mycomicspage.com
O1 - Hosts: 63.236.66.15 www.mywebsearch.com
O1 - Hosts: 216.251.43.11 www.names9.com
O1 - Hosts: 207.218.164.17 www.neopets.com
O1 - Hosts: 207.66.2.46 www.onlineregister.com
O1 - Hosts: 216.193.193.16 www.otxresearch.com
O1 - Hosts: 65.54.230.254 www.passport.net
O1 - Hosts: 165.138.113.251 www.pc.bcsc.k12.in.us
O1 - Hosts: 64.94.127.55 www.pcsecuritynews.com
O1 - Hosts: 65.42.130.84 www.reliable.net
O1 - Hosts: 65.88.128.3 www.rnetinc.net
O1 - Hosts: 212.227.253.104 www.safer-networking.org
O1 - Hosts: 63.160.50.32 www.staplesrebates.com
O1 - Hosts: 66.37.205.40 www.switchboard.com
O1 - Hosts: 56.0.134.24 www.usps.com
O1 - Hosts: 212.72.51.68 www.vgfe.com
O1 - Hosts: 161.170.254.20 www.walmart.com
O1 - Hosts: 64.88.151.10 www.win250dollar.com
O1 - Hosts: 216.74.146.21 www.wishtv.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {204F937E-519E-4597-96FA-8F1F59F3CB6D} - C:\WINDOWS\System32\ctor.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - (no file)
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host.digichat...s/Client_IE.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direc.../dpcsysinfo.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7613.3897916667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (SoundCtl Class) - http://www.buzme.com...eX/NPBMCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com...X/BMAXSetup.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?314
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30515995-F64E-4CE8-ACB9-C461A11BEF32}: NameServer = 67.39.236.2 67.39.236.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{30515995-F64E-4CE8-ACB9-C461A11BEF32}: NameServer = 67.39.236.2 67.39.236.3


Hope you can help. <_<
  • 0

Advertisements

#2
Smokey
Posted 14 April 2004 - 12:41 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Yeah, you're infected. It's an Adtomi infection. Kinda difficult to remove. But we can help you through it. <_<!

First, you need to download CoolWebShredder, from http://www.merijn.or.../cwshredder.zip, Extract it & run the program. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants. must Make sure you are offline with all browser windows closed when you run it.

After that, Your computer has a number of spyware programs that we need to remove. For more info on spyware see the Spyware Tools link in my signature.

Let's start with a free program. Download and install Ad-aware.

Using Ad-aware: Open Ad-Aware and use the Check for updates now link. Download and accept the latest reference file. When finished click the Start button. When done scanning, the Abort button will change to Next. Click the Next button. Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed. :D

CLICK HERE to download Ad-aware
  • 0

#3
char12
Posted 14 April 2004 - 02:08 PM

char12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
http://www.merijn.or.../cwshredder.zip I can not open this page. It is asking for user name and password. Is there another site I can go to?
  • 0

#4
ditto
Posted 14 April 2004 - 02:28 PM

ditto

    - i pwn n00bs -

  • Member
  • PipPipPipPip
  • 1,260 posts
hey

try this link

http://209.133.47.20.../CWShredder.exe

ditto
  • 0

#5
char12
Posted 14 April 2004 - 03:13 PM

char12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I tried the link you gave me and I get half way through the load and it goes to the error page. I am going to go ahead and load the ad-ware and see if some else has <_< any ideas.
  • 0

#6
Smokey
Posted 14 April 2004 - 03:26 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Sorry <_<, just download and run CWShredder from this page:

http://www.spywarein.../downloads.html
  • 0

#7
char12
Posted 14 April 2004 - 04:18 PM

char12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK I have finally downloaded cwshredder and the ad-ware. I have run both and here is my new hijack

Logfile of HijackThis v1.97.7
Scan saved at 5:13:23 PM, on 4/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Charlotte\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O1 - Hosts: 199.181.132.145 abc.go.com
O1 - Hosts: 66.163.172.88 admin.yahoo.com
O1 - Hosts: 165.254.12.131 adopt.hotbar.com
O1 - Hosts: 66.135.200.136 cgi.ebay.com
O1 - Hosts: 66.135.194.20 cgi1.ebay.com
O1 - Hosts: 66.135.210.30 cgi2.ebay.com
O1 - Hosts: 209.47.15.73 cnt.rapidblaster.com
O1 - Hosts: 206.16.0.219 download.com.com
O1 - Hosts: 216.109.126.26 e.my.yahoo.com
O1 - Hosts: 216.136.227.7 edit.yahoo.com
O1 - Hosts: 66.135.195.237 electronics.ebay.com
O1 - Hosts: 216.73.89.150 email.staples-deals.com
O1 - Hosts: 207.46.167.100 encarta.msn.com
O1 - Hosts: 207.68.170.124 groups.msn.com
O1 - Hosts: 207.218.164.60 home.neopets.com
O1 - Hosts: 216.237.188.22 images.emailhello.com
O1 - Hosts: 208.254.63.60 images.trafficmp.com
O1 - Hosts: 64.12.46.235 lastsamurai.warnerbros.com
O1 - Hosts: 66.135.195.27 listings.ebay.com
O1 - Hosts: 65.54.231.240 login.passport.com
O1 - Hosts: 65.54.229.246 login.passport.net
O1 - Hosts: 66.218.75.184 login.yahoo.com
O1 - Hosts: 216.109.127.60 mail.yahoo.com
O1 - Hosts: 65.54.229.252 memberservices.passport.net
O1 - Hosts: 207.46.189.15 moneycentral.msn.com
O1 - Hosts: 207.46.150.21 msnbc.com
O1 - Hosts: 207.68.173.234 my.msn.com
O1 - Hosts: 216.109.126.22 my.yahoo.com
O1 - Hosts: 206.31.10.94 new1.mysurvey.com
O1 - Hosts: 66.135.200.137 offer.ebay.com
O1 - Hosts: 66.135.192.87 pages.ebay.com
O1 - Hosts: 165.254.12.202 premium-offers.com
O1 - Hosts: 66.135.195.245 promo.ebay.com
O1 - Hosts: 209.68.226.5 resources.lawinfo.com
O1 - Hosts: 66.135.210.135 search.ebay.com
O1 - Hosts: 66.135.194.165 search-desc.ebay.com
O1 - Hosts: 206.204.52.6 security.symantec.com
O1 - Hosts: 198.6.49.121 service1.symantec.com
O1 - Hosts: 66.135.210.112 signin.ebay.com
O1 - Hosts: 165.254.12.100 software4thenet.com
O1 - Hosts: 65.88.128.22 support.rnetinc.net
O1 - Hosts: 207.218.164.16 survey.neopets.com
O1 - Hosts: 216.109.127.246 us.rd.yahoo.com
O1 - Hosts: 209.68.226.14 wishtv.lawinfo.com
O1 - Hosts: 207.171.184.16 www.amazon.com
O1 - Hosts: 165.138.113.249 www.bcsc.k12.in.us
O1 - Hosts: 134.68.52.57 www.bursar.iupui.edu
O1 - Hosts: 24.173.79.235 www.bursar.org
O1 - Hosts: 66.77.107.150 www.buzme.com
O1 - Hosts: 63.146.175.46 www.campmor.com
O1 - Hosts: 63.240.56.20 www.cbs.com
O1 - Hosts: 206.246.138.42 www.centra.org
O1 - Hosts: 134.68.19.195 www.columbus.iupui.edu
O1 - Hosts: 63.240.215.65 www.discovery.com
O1 - Hosts: 65.214.48.1 www.divorcenet.com
O1 - Hosts: 66.213.200.130 www.easierrebate.com
O1 - Hosts: 66.135.192.88 www.ebay.com
O1 - Hosts: 139.171.64.10 www.elderly.com
O1 - Hosts: 63.127.205.130 www.familychristian.com
O1 - Hosts: 66.162.192.49 www.goodysonline.com
O1 - Hosts: 207.182.237.203 www.gozingsurveys.com
O1 - Hosts: 157.91.12.65 www.in.gov
O1 - Hosts: 198.64.149.203 www.indiana.com
O1 - Hosts: 209.125.194.211 www.ipsh.net
O1 - Hosts: 134.68.122.5 www.iupui.edu
O1 - Hosts: 192.232.125.61 www.kodak.com
O1 - Hosts: 64.60.155.251 www.melissadata.com
O1 - Hosts: 216.154.228.146 www.montelshow.com
O1 - Hosts: 134.68.52.127 www.mpc.adaf.iupui.edu
O1 - Hosts: 207.46.245.60 www.msnbc.com
O1 - Hosts: 198.247.208.102 www.mycomicspage.com
O1 - Hosts: 216.251.43.11 www.names9.com
O1 - Hosts: 207.218.164.17 www.neopets.com
O1 - Hosts: 207.66.2.46 www.onlineregister.com
O1 - Hosts: 216.193.193.16 www.otxresearch.com
O1 - Hosts: 65.54.230.254 www.passport.net
O1 - Hosts: 165.138.113.251 www.pc.bcsc.k12.in.us
O1 - Hosts: 64.94.127.55 www.pcsecuritynews.com
O1 - Hosts: 65.42.130.84 www.reliable.net
O1 - Hosts: 65.88.128.3 www.rnetinc.net
O1 - Hosts: 212.227.253.104 www.safer-networking.org
O1 - Hosts: 63.160.50.32 www.staplesrebates.com
O1 - Hosts: 66.37.205.40 www.switchboard.com
O1 - Hosts: 56.0.134.24 www.usps.com
O1 - Hosts: 212.72.51.68 www.vgfe.com
O1 - Hosts: 161.170.254.20 www.walmart.com
O1 - Hosts: 64.88.151.10 www.win250dollar.com
O1 - Hosts: 216.74.146.21 www.wishtv.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host.digichat...s/Client_IE.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direc.../dpcsysinfo.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7613.3897916667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (SoundCtl Class) - http://www.buzme.com...eX/NPBMCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com...X/BMAXSetup.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?314
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
  • 0

#8
Smokey
Posted 14 April 2004 - 04:29 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
You have an uncommon adware infection. I'll contact admin and he'll be with you shortly <_<!
  • 0

#9
Smokey
Posted 14 April 2004 - 05:00 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Download and run Kill2Me (it's a specific program for your particular type of infection), it's found on this page:

http://www.spywarein.../downloads.html

Reboot, and please download a new hijackthis log. <_<
  • 0

#10
admin
Posted 14 April 2004 - 05:20 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Let's start ny cleaning up some of this spyware. Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE
C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE
C:\Program Files\Common Files\GMT\GMT.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral...hp?v=4&aff=4894
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral...hp?v=4&aff=4894
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchcentral...hp?v=4&aff=4894
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.co...rchPageHome.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://proxy.connect.com.au:8080;http=http://proxy.connect.com.au:8080
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
O1 - Hosts: 81.211.105.69 lender-search.com
O1 - Hosts: 81.211.105.68 hot-searches.com
O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.virtuagirl.com!StatsVirtuaGirl
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
O4 - HKLM\..\RunOnce: [tlc] C:\WINDOWS\update12.js
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.6.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...op-sign_stp.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log.
  • 0

Advertisements

#11
char12
Posted 14 April 2004 - 05:47 PM

char12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
OK I hope I got them all. Here is another hijack

Logfile of HijackThis v1.97.7
Scan saved at 6:43:31 PM, on 4/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\PV92Tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Charlotte\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O1 - Hosts: 199.181.132.145 abc.go.com
O1 - Hosts: 66.163.172.88 admin.yahoo.com
O1 - Hosts: 165.254.12.131 adopt.hotbar.com
O1 - Hosts: 66.135.200.136 cgi.ebay.com
O1 - Hosts: 66.135.194.20 cgi1.ebay.com
O1 - Hosts: 66.135.210.30 cgi2.ebay.com
O1 - Hosts: 209.47.15.73 cnt.rapidblaster.com
O1 - Hosts: 206.16.0.219 download.com.com
O1 - Hosts: 216.109.126.26 e.my.yahoo.com
O1 - Hosts: 216.136.227.7 edit.yahoo.com
O1 - Hosts: 66.135.195.237 electronics.ebay.com
O1 - Hosts: 216.73.89.150 email.staples-deals.com
O1 - Hosts: 207.46.167.100 encarta.msn.com
O1 - Hosts: 207.68.170.124 groups.msn.com
O1 - Hosts: 207.218.164.60 home.neopets.com
O1 - Hosts: 216.237.188.22 images.emailhello.com
O1 - Hosts: 208.254.63.60 images.trafficmp.com
O1 - Hosts: 64.12.46.235 lastsamurai.warnerbros.com
O1 - Hosts: 66.135.195.27 listings.ebay.com
O1 - Hosts: 65.54.231.240 login.passport.com
O1 - Hosts: 65.54.229.246 login.passport.net
O1 - Hosts: 66.218.75.184 login.yahoo.com
O1 - Hosts: 216.109.127.60 mail.yahoo.com
O1 - Hosts: 65.54.229.252 memberservices.passport.net
O1 - Hosts: 207.46.189.15 moneycentral.msn.com
O1 - Hosts: 207.46.150.21 msnbc.com
O1 - Hosts: 207.68.173.234 my.msn.com
O1 - Hosts: 216.109.126.22 my.yahoo.com
O1 - Hosts: 206.31.10.94 new1.mysurvey.com
O1 - Hosts: 66.135.200.137 offer.ebay.com
O1 - Hosts: 66.135.192.87 pages.ebay.com
O1 - Hosts: 165.254.12.202 premium-offers.com
O1 - Hosts: 66.135.195.245 promo.ebay.com
O1 - Hosts: 209.68.226.5 resources.lawinfo.com
O1 - Hosts: 66.135.210.135 search.ebay.com
O1 - Hosts: 66.135.194.165 search-desc.ebay.com
O1 - Hosts: 206.204.52.6 security.symantec.com
O1 - Hosts: 198.6.49.121 service1.symantec.com
O1 - Hosts: 66.135.210.112 signin.ebay.com
O1 - Hosts: 165.254.12.100 software4thenet.com
O1 - Hosts: 65.88.128.22 support.rnetinc.net
O1 - Hosts: 207.218.164.16 survey.neopets.com
O1 - Hosts: 216.109.127.246 us.rd.yahoo.com
O1 - Hosts: 209.68.226.14 wishtv.lawinfo.com
O1 - Hosts: 207.171.184.16 www.amazon.com
O1 - Hosts: 165.138.113.249 www.bcsc.k12.in.us
O1 - Hosts: 134.68.52.57 www.bursar.iupui.edu
O1 - Hosts: 24.173.79.235 www.bursar.org
O1 - Hosts: 66.77.107.150 www.buzme.com
O1 - Hosts: 63.146.175.46 www.campmor.com
O1 - Hosts: 63.240.56.20 www.cbs.com
O1 - Hosts: 206.246.138.42 www.centra.org
O1 - Hosts: 134.68.19.195 www.columbus.iupui.edu
O1 - Hosts: 63.240.215.65 www.discovery.com
O1 - Hosts: 65.214.48.1 www.divorcenet.com
O1 - Hosts: 66.213.200.130 www.easierrebate.com
O1 - Hosts: 66.135.192.88 www.ebay.com
O1 - Hosts: 139.171.64.10 www.elderly.com
O1 - Hosts: 63.127.205.130 www.familychristian.com
O1 - Hosts: 66.162.192.49 www.goodysonline.com
O1 - Hosts: 207.182.237.203 www.gozingsurveys.com
O1 - Hosts: 157.91.12.65 www.in.gov
O1 - Hosts: 198.64.149.203 www.indiana.com
O1 - Hosts: 209.125.194.211 www.ipsh.net
O1 - Hosts: 134.68.122.5 www.iupui.edu
O1 - Hosts: 192.232.125.61 www.kodak.com
O1 - Hosts: 64.60.155.251 www.melissadata.com
O1 - Hosts: 216.154.228.146 www.montelshow.com
O1 - Hosts: 134.68.52.127 www.mpc.adaf.iupui.edu
O1 - Hosts: 207.46.245.60 www.msnbc.com
O1 - Hosts: 198.247.208.102 www.mycomicspage.com
O1 - Hosts: 216.251.43.11 www.names9.com
O1 - Hosts: 207.218.164.17 www.neopets.com
O1 - Hosts: 207.66.2.46 www.onlineregister.com
O1 - Hosts: 216.193.193.16 www.otxresearch.com
O1 - Hosts: 65.54.230.254 www.passport.net
O1 - Hosts: 165.138.113.251 www.pc.bcsc.k12.in.us
O1 - Hosts: 64.94.127.55 www.pcsecuritynews.com
O1 - Hosts: 65.42.130.84 www.reliable.net
O1 - Hosts: 65.88.128.3 www.rnetinc.net
O1 - Hosts: 212.227.253.104 www.safer-networking.org
O1 - Hosts: 63.160.50.32 www.staplesrebates.com
O1 - Hosts: 66.37.205.40 www.switchboard.com
O1 - Hosts: 56.0.134.24 www.usps.com
O1 - Hosts: 212.72.51.68 www.vgfe.com
O1 - Hosts: 161.170.254.20 www.walmart.com
O1 - Hosts: 64.88.151.10 www.win250dollar.com
O1 - Hosts: 216.74.146.21 www.wishtv.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [PV92TRAY] PV92Tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ultimate Popup Killer] C:\Program Files\Ultimate Popup Killer\Popupkiller.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host.digichat...s/Client_IE.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst3_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weat...porter.cab?RND=
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/p...13/invinstl.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://directv.direc.../dpcsysinfo.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7613.3897916667
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (SoundCtl Class) - http://www.buzme.com...eX/NPBMCtrl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com...X/BMAXSetup.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?314
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{30515995-F64E-4CE8-ACB9-C461A11BEF32}: NameServer = 67.39.236.2 67.39.236.3
O17 - HKLM\System\CS2\Services\Tcpip\..\{30515995-F64E-4CE8-ACB9-C461A11BEF32}: NameServer = 67.39.236.2 67.39.236.3
  • 0

#12
Smokey
Posted 14 April 2004 - 06:19 PM

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
Did you download and run Kill2Me? (it's a specific program for your particular type of infection), it's found on this page:

http://www.spywarein.../downloads.html

Reboot, and please download a new hijackthis log. <_<
  • 0

#13
char12
Posted 14 April 2004 - 07:27 PM

char12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Yes I downloaded kill2me and ran it. The computer said that there was not any problems. I had it to clean it anyway. Then Rebooted and sent you the newest hijack.
  • 0

#14
admin
Posted 14 April 2004 - 07:56 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Hi char12,

Buckle in, we're getting pretty geeky here, but I'm sure you can handle it <_<

Copy the contents of the CODE box below to Notepad, and save as remove.reg (save as type: 'all files' )

REGEDIT4 

[-HKEY_CURRENT_USER\Software\adtomi] 

[-HKEY_CLASSES_ROOT\CLSID\{B549456D-F5D0-4641-BCED-8648A0C13D83}] 

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B549456D-F5D0-4641-BCED-8648A0C13D83}]  

DoubleClick Remove.reg, and hit yes on the prompt to add its contents to the Registry!

Please move Hijack This to its own directory (i.e. C:\HJT). This is because HJT creates backups that may be needed later, and they may get deleted when in a temp directory.

Run Hijack This, and check and have it fix all of the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O1 - Hosts: 199.181.132.145 abc.go.com
O1 - Hosts: 66.163.172.88 admin.yahoo.com
O1 - Hosts: 165.254.12.131 adopt.hotbar.com
O1 - Hosts: 66.135.200.136 cgi.ebay.com
O1 - Hosts: 66.135.194.20 cgi1.ebay.com
O1 - Hosts: 66.135.210.30 cgi2.ebay.com
O1 - Hosts: 209.47.15.73 cnt.rapidblaster.com
O1 - Hosts: 206.16.0.219 download.com.com
O1 - Hosts: 216.109.126.26 e.my.yahoo.com
O1 - Hosts: 216.136.227.7 edit.yahoo.com
O1 - Hosts: 66.135.195.237 electronics.ebay.com
O1 - Hosts: 216.73.89.150 email.staples-deals.com
O1 - Hosts: 207.46.167.100 encarta.msn.com
O1 - Hosts: 207.68.170.124 groups.msn.com
O1 - Hosts: 207.218.164.60 home.neopets.com
O1 - Hosts: 216.237.188.22 images.emailhello.com
O1 - Hosts: 208.254.63.60 images.trafficmp.com
O1 - Hosts: 64.12.46.235 lastsamurai.warnerbros.com
O1 - Hosts: 66.135.195.27 listings.ebay.com
O1 - Hosts: 65.54.231.240 login.passport.com
O1 - Hosts: 65.54.229.246 login.passport.net
O1 - Hosts: 66.218.75.184 login.yahoo.com
O1 - Hosts: 216.109.127.60 mail.yahoo.com
O1 - Hosts: 65.54.229.252 memberservices.passport.net
O1 - Hosts: 207.46.189.15 moneycentral.msn.com
O1 - Hosts: 207.46.150.21 msnbc.com
O1 - Hosts: 207.68.173.234 my.msn.com
O1 - Hosts: 216.109.126.22 my.yahoo.com
O1 - Hosts: 206.31.10.94 new1.mysurvey.com
O1 - Hosts: 66.135.200.137 offer.ebay.com
O1 - Hosts: 66.135.192.87 pages.ebay.com
O1 - Hosts: 165.254.12.202 premium-offers.com
O1 - Hosts: 66.135.195.245 promo.ebay.com
O1 - Hosts: 209.68.226.5 resources.lawinfo.com
O1 - Hosts: 66.135.210.135 search.ebay.com
O1 - Hosts: 66.135.194.165 search-desc.ebay.com
O1 - Hosts: 206.204.52.6 security.symantec.com
O1 - Hosts: 198.6.49.121 service1.symantec.com
O1 - Hosts: 66.135.210.112 signin.ebay.com
O1 - Hosts: 165.254.12.100 software4thenet.com
O1 - Hosts: 65.88.128.22 support.rnetinc.net
O1 - Hosts: 207.218.164.16 survey.neopets.com
O1 - Hosts: 216.109.127.246 us.rd.yahoo.com
O1 - Hosts: 209.68.226.14 wishtv.lawinfo.com
O1 - Hosts: 207.171.184.16 www.amazon.com
O1 - Hosts: 165.138.113.249 www.bcsc.k12.in.us
O1 - Hosts: 134.68.52.57 www.bursar.iupui.edu
O1 - Hosts: 24.173.79.235 www.bursar.org
O1 - Hosts: 66.77.107.150 www.buzme.com
O1 - Hosts: 63.146.175.46 www.campmor.com
O1 - Hosts: 63.240.56.20 www.cbs.com
O1 - Hosts: 206.246.138.42 www.centra.org
O1 - Hosts: 134.68.19.195 www.columbus.iupui.edu
O1 - Hosts: 63.240.215.65 www.discovery.com
O1 - Hosts: 65.214.48.1 www.divorcenet.com
O1 - Hosts: 66.213.200.130 www.easierrebate.com
O1 - Hosts: 66.135.192.88 www.ebay.com
O1 - Hosts: 139.171.64.10 www.elderly.com
O1 - Hosts: 63.127.205.130 www.familychristian.com
O1 - Hosts: 66.162.192.49 www.goodysonline.com
O1 - Hosts: 207.182.237.203 www.gozingsurveys.com
O1 - Hosts: 157.91.12.65 www.in.gov
O1 - Hosts: 198.64.149.203 www.indiana.com
O1 - Hosts: 209.125.194.211 www.ipsh.net
O1 - Hosts: 134.68.122.5 www.iupui.edu
O1 - Hosts: 192.232.125.61 www.kodak.com
O1 - Hosts: 64.60.155.251 www.melissadata.com
O1 - Hosts: 216.154.228.146 www.montelshow.com
O1 - Hosts: 134.68.52.127 www.mpc.adaf.iupui.edu
O1 - Hosts: 207.46.245.60 www.msnbc.com
O1 - Hosts: 198.247.208.102 www.mycomicspage.com
O1 - Hosts: 216.251.43.11 www.names9.com
O1 - Hosts: 207.218.164.17 www.neopets.com
O1 - Hosts: 207.66.2.46 www.onlineregister.com
O1 - Hosts: 216.193.193.16 www.otxresearch.com
O1 - Hosts: 65.54.230.254 www.passport.net
O1 - Hosts: 165.138.113.251 www.pc.bcsc.k12.in.us
O1 - Hosts: 64.94.127.55 www.pcsecuritynews.com
O1 - Hosts: 65.42.130.84 www.reliable.net
O1 - Hosts: 65.88.128.3 www.rnetinc.net
O1 - Hosts: 212.227.253.104 www.safer-networking.org
O1 - Hosts: 63.160.50.32 www.staplesrebates.com
O1 - Hosts: 66.37.205.40 www.switchboard.com
O1 - Hosts: 56.0.134.24 www.usps.com
O1 - Hosts: 212.72.51.68 www.vgfe.com
O1 - Hosts: 161.170.254.20 www.walmart.com
O1 - Hosts: 64.88.151.10 www.win250dollar.com
O1 - Hosts: 216.74.146.21 www.wishtv.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [DXM6Patch_9904] C:\WINDOWS\p_9904.exe /Q:A
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32.dll
O16 - DPF: DigiChat Applet - http://host.digichat...s/Client_IE.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CF25C291-E91C-11D3-873F-0000B4A2973D} (SoundCtl Class) - http://www.buzme.com...eX/NPBMCtrl.cab
O16 - DPF: {E9AE575A-FA4A-11D3-90F7-00C0CA1618FF} (BuzMeSetup Class) - http://www.buzme.com...X/BMAXSetup.cab

Next:

--Find and delete all files called BrowserHelper.dll from any location(s)

Delete these files in bold.
C:\WINDOWS\p_9904.exe <- this file
C:\WINDOWS\IME <- this folder

Reboot your computer start normally.

Run this file: http://www10.brinkst.../L2M/Msg121.htm

We recommed you uninstall SpyKiller and instead use As-aware or Spybot S&D.

When finished post a fresh log :D
  • 0

#15
char12
Posted 14 April 2004 - 08:34 PM

char12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I have already installed spybot, and ad-aware recieved the updates and ran. The last couple of hijacks you have recieved were after I ran both. I will be glad to run them again. My hijacks are being saved in my documents until this mess is cleaned up. Thank You for hanging in there with me. Looks like this is a nasty one. <_<
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP