MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Internet & Email arrow Topic: another http://4bf65.ilxt.info , about:blank prblm
October 19, 2019, 09:25:42 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 19, 2019, 09:25:42 PM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: another http://4bf65.ilxt.info , about:blank prblm  (Read 2808 times)
sgntsids
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« on: July 22, 2004, 07:32:13 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: XP pro
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



Man this thing is nasty...I've already run the newest Adaware and Stinger to clear up some of the less intrusive ****ware. I've read around on this problem, and so here is my hijackthis log. Thanks ahead of time for the help!


Logfile of HijackThis v1.97.7
Scan saved at 3:15:17 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\System32\imckaal.exe
C:\WINDOWS\System32\spchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\shchost.exe
C:\Documents and Settings\ron\Application Data\coes.exe
C:\WINDOWS\System32\cre.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\ron\Desktop\cleanup\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rambler.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rambler.ru
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://rambler.ru
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://rambler.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {349D58FE-BAE0-4F6B-B941-1B9285851527} - C:\WINDOWS\System32\ooi.dll
O2 - BHO: (no name) - {3BD7470D-E763-58BC-8653-67557CAE2738} - C:\WINDOWS\System32\subr.dll
O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - C:\WINDOWS\bvm202.dll
O2 - BHO: (no name) - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [qdajgjunw] C:\WINDOWS\System32\imckaal.exe
O4 - HKLM\..\Run: [Operating System Rescue] svchost.exe
O4 - HKLM\..\Run: [Systems Restart] C:\WINDOWS\System32\spchost.exe
O4 - HKLM\..\Run: [load32] c:\dial.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wendows Deafult Configuration] C:\WINDOWS\shchost.exe
O4 - HKCU\..\Run: [Haor] C:\Documents and Settings\ron\Application Data\coes.exe
O4 - HKCU\..\Run: [Zvnezibq] C:\WINDOWS\System32\cre.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Research (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/warxsp.chm::/on-line.exe
O16 - DPF: {11010101-1001-1111-1000-115676576811} - ms-its:mhtml:file://c:\nosuch.mht!http://sploit2004.com/doom/var.chm::/down.exe
O16 - DPF: {7E79C698-405E-11D4-BD8F-0060979301C2} (EPTEDGEInput.BearingInput) - http://www.emerson-ept.com/EPTRoot/eptedge/EPTEDGEInput.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37999.4788888889
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://raiseinstall.rockwellautomation.com/abecad-04-2003/setup.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mmwdomain.local
O17 - HKLM\Software\..\Telephony: DomainName = mmwdomain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8D0B471-5ACA-4450-AE01-6801C407875E}: NameServer = 10.0.0.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mmwdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mmwdomain.local

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: July 22, 2004, 10:57:29 PM »

Hi...could you please go here and Download the newest version of HJT,run and post a fresh logfile.

**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Create a permanent
folder
EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT ---this is where you will want to save Hijackthis too, also, backups will be stored there.
Download from here
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
or here
http://aumha.org/downloads/hijackthis.exe

Do a SCAN----Scan will change to SAVE LOG----copy and paste the WHOLE contents of the log
here... Don't try and fix anything yet----It is all important


Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
corvett
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 2


Bookmark and Share

View Profile
« Reply #2 on: July 23, 2004, 03:32:00 AM »

cactus, can you icq me when you have a free second?

thanks in advance
45471840

-Mark
Logged

 
corvett
Newbie
*

Karma: +0/-0
Offline Offline

Posts: 2


Bookmark and Share

View Profile
« Reply #3 on: July 23, 2004, 03:33:52 AM »

or reply with your icq...

Logged

 
sgntsids
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #4 on: July 23, 2004, 05:02:41 PM »

Okay...will do.
Sorry for the delay; the infected machine is at an office that I can only get to for a little while each day. I can get there in a couple hours and then will proceed as instructed.
Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #5 on: July 23, 2004, 05:39:38 PM »

You've been added!

Cactus
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
sgntsids
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #6 on: July 23, 2004, 08:46:59 PM »

I downloaded HijackThis from the link(s) provided, put it in a new folder on the infected computer's desktop, ran the program, copied the log to a floppy, and now, here's a copy/paste of that log:

Logfile of HijackThis v1.98.0
Scan saved at 4:32:00 PM, on 7/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\System32\imckaal.exe
C:\WINDOWS\System32\spchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\shchost.exe
C:\Documents and Settings\ron\Application Data\coes.exe
C:\WINDOWS\System32\iwd.exe
C:\Documents and Settings\ron\Desktop\cleanitup\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rambler.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rambler.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://rambler.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://rambler.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {349D58FE-BAE0-4F6B-B941-1B9285851527} - C:\WINDOWS\System32\ooi.dll
O2 - BHO: (no name) - {3ED81F03-E560-5CB4-8B57-67557CAF2F3B} - C:\WINDOWS\System32\pcfhj.dll
O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - C:\WINDOWS\bvm202.dll
O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [qdajgjunw] C:\WINDOWS\System32\imckaal.exe
O4 - HKLM\..\Run: [Operating System Rescue] svchost.exe
O4 - HKLM\..\Run: [Systems Restart] C:\WINDOWS\System32\spchost.exe
O4 - HKLM\..\Run: [load32] c:\dial.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wendows Deafult Configuration] C:\WINDOWS\shchost.exe
O4 - HKCU\..\Run: [Haor] C:\Documents and Settings\ron\Application Data\coes.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/warxsp.chm::/on-line.exe
O16 - DPF: {11010101-1001-1111-1000-115676576811} - ms-its:mhtml:file://c:\nosuch.mht!http://sploit2004.com/doom/var.chm::/down.exe
O16 - DPF: {7E79C698-405E-11D4-BD8F-0060979301C2} (EPTEDGEInput.BearingInput) - http://www.emerson-ept.com/EPTRoot/eptedge/EPTEDGEInput.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://raiseinstall.rockwellautomation.com/abecad-04-2003/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mmwdomain.local
O17 - HKLM\Software\..\Telephony: DomainName = mmwdomain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8D0B471-5ACA-4450-AE01-6801C407875E}: NameServer = 10.0.0.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mmwdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mmwdomain.local
O18 - Filter: text/html - {334CAAAD-5940-4DF2-A231-1437E1E68C43} - C:\WINDOWS\System32\ooi.dll
O18 - Filter: text/plain - {334CAAAD-5940-4DF2-A231-1437E1E68C43} - C:\WINDOWS\System32\ooi.dll


Thanks!
Logged

 
sgntsids
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #7 on: July 26, 2004, 09:17:53 PM »

I think I'm going to have time to head over and work on that computer tomorrow...any advice after checking out the log?

Thanks!
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #8 on: July 31, 2004, 06:52:26 AM »

Hi sgntsids, If you still need a hand with your hijackthis log can
you please post a fresh log, thanx....
Logged

 
sgntsids
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 5


Bookmark and Share

View Profile
« Reply #9 on: August 03, 2004, 06:39:43 PM »

Alright, here's a fresh highjackthis log created just a minute ago. Thanks for any and all help.

Logfile of HijackThis v1.98.0
Scan saved at 2:23:26 PM, on 8/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINDOWS\System32\imckaal.exe
C:\WINDOWS\System32\spchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\shchost.exe
C:\Documents and Settings\ron\Application Data\coes.exe
C:\WINDOWS\System32\iwd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\HPWHTBX.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\ron\Desktop\cleanitup\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rambler.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rambler.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ron\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://rambler.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://rambler.ru
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {349D58FE-BAE0-4F6B-B941-1B9285851527} - C:\WINDOWS\System32\ooi.dll
O2 - BHO: (no name) - {3ED81F03-E560-5CB4-8B57-67557CAF2F3B} - C:\WINDOWS\System32\pcfhj.dll
O2 - BHO: (no name) - {432D8C41-8586-11D8-997D-00C026232EB9} - C:\WINDOWS\bvm202.dll
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [qdajgjunw] C:\WINDOWS\System32\imckaal.exe
O4 - HKLM\..\Run: [Operating System Rescue] svchost.exe
O4 - HKLM\..\Run: [Systems Restart] C:\WINDOWS\System32\spchost.exe
O4 - HKLM\..\Run: [load32] c:\dial.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Wendows Deafult Configuration] C:\WINDOWS\shchost.exe
O4 - HKCU\..\Run: [Haor] C:\Documents and Settings\ron\Application Data\coes.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/warxsp.chm::/on-line.exe
O16 - DPF: {11010101-1001-1111-1000-115676576811} - ms-its:mhtml:file://c:\nosuch.mht!http://sploit2004.com/doom/var.chm::/down.exe
O16 - DPF: {7E79C698-405E-11D4-BD8F-0060979301C2} (EPTEDGEInput.BearingInput) - http://www.emerson-ept.com/EPTRoot/eptedge/EPTEDGEInput.CAB
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - http://raiseinstall.rockwellautomation.com/abecad-04-2003/setup.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mmwdomain.local
O17 - HKLM\Software\..\Telephony: DomainName = mmwdomain.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8D0B471-5ACA-4450-AE01-6801C407875E}: NameServer = 10.0.0.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mmwdomain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mmwdomain.local
O18 - Filter: text/html - {334CAAAD-5940-4DF2-A231-1437E1E68C43} - C:\WINDOWS\System32\ooi.dll
O18 - Filter: text/plain - {334CAAAD-5940-4DF2-A231-1437E1E68C43} - C:\WINDOWS\System32\ooi.dll

Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page October 27, 2016, 03:17:42 AM