MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Hijack This log
October 21, 2019, 11:45:29 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
October 21, 2019, 11:45:29 PM

Login with username, password and session length
 Featured Sites:
News
Article Writers We are looking for quality, informational articles to add to our Computer Articles
Please contact us if you are interested in submitting some....
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Hijack This log  (Read 1780 times)
twins0810
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Bookmark and Share

View Profile
« on: September 07, 2004, 02:57:30 AM »

Please Help!!!  IE keeps going to about:blank.  I have run ad-aware, spybot S&D, and now Hijack this.  Here is my log...can anyone tell me what to delete....PLEASE!!!!!  I am running Windows XP, IE 6.0.
I have also recently reinstalled windows due to my IE being corrupt...and that was a complete disaster.  I have had nothing but problems with spyware since.

Logfile of HijackThis v1.98.2
Scan saved at 10:51:25 PM, on 9/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\apilt.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\netro32.exe
C:\WINDOWS\System32\xtdtfn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\twdko.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\twdko.dll/sp.html#29126
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hsklf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hsklf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hsklf.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hsklf.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EA94B086-CDBC-1A5F-231F-FB067C388DF8} - C:\WINDOWS\system32\ipgo32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [netro32.exe] C:\WINDOWS\system32\netro32.exe
O4 - HKLM\..\Run: [ueuzurxx] C:\WINDOWS\System32\xtdtfn.exe
O4 - HKLM\..\Run: [hgn] C:\WINNT\hgn.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Help - {60BA2A89-51FD-43E4-A072-23E74D5D4C2C} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {8A760511-1030-4FDB-8C8F-50E3C39EBDDF} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {8CD6C7B5-5AD9-433B-A126-5F6C477BF15E} - http://www.comcastsupport.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {008B6F21-3A6B-062F-EA4A-4C930254A73F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {02B5ACFD-DF64-62D8-A5E7-1C236D0F5348} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {02B955BC-AA94-51D3-F50A-555222F88AE9} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {036ED512-7BC1-18E0-D867-575F68C65F0D} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {05BC92D3-682A-0941-7012-7A18275A25E9} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0671E4AF-F515-187A-9F5F-64D65DE40A72} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {077B61F3-77E2-57C4-6AE4-5C0225DE80DD} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {07C40146-BAE8-0858-9807-5B2B3B058EF9} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {09308C12-EC2C-37AF-DDD1-1FA74C13A827} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0B28B819-BDAD-1607-1D1F-61AD3DC7D47F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {0B8ED228-9227-0783-55A7-052025D0C2F4} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0D9DEEC7-95C7-1191-AFAA-788C5288E25C} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0DD23977-DEA4-1F80-6C4F-482B7E75E428} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {0E5F3804-19EA-23F2-4481-07AE0D6ABBFB} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0EAC8A34-1996-1245-5115-6EBD71A1DE7F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {0ED31C23-E0C7-3C83-4AF5-770504FD12EF} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {108ED0EE-C727-338C-A1D8-39C62EDB2EDD} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {11DA5609-F188-1A25-AC98-567E720C0756} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {13EAA24A-B4EC-06A9-2558-2CE0197A749C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {14A51B88-9334-149E-EDF9-3975281AC71E} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {154B5612-29A4-108C-5EC0-72D827CB4864} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {15A1AF55-FDF1-7C23-187B-7EC058B77B1F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {16BD7D54-97D9-49D4-5609-6B6A187C6AA5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {189006A1-06F5-2392-DB63-624856D7AC27} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {18C6372D-D1B1-015C-7615-4B3C68AE0284} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {19F2D382-EF13-0974-F10B-55905F4F7EF7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1A7D2A25-6FEF-5E75-8449-36BF5AD75DC4} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1B08512D-7CB8-05FB-A962-450371744A4C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1DF75730-D750-3BAC-55F5-0D247DC6CC79} - http://66.117.42.151/1/gdnUS243.exe
O16 - DPF: {1EF0830C-14A6-1D3B-86DC-1D640D291180} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {1F4D1205-6E8D-72AA-9C78-380D0289E74E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1F8C98DB-FF71-06BC-65D4-481C2F83A0B5} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2581771B-BC12-4C64-C55F-44B336826C02} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2670C160-723E-76A5-0F22-48D6649E9845} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {26784A6A-2156-200C-098D-02B26087986F} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {26B72699-0105-0E82-F37C-364A15FC5131} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {283D77E6-9233-66A7-2765-4E1C5923E622} - http://66.117.42.151/1/gdnUS243.exe
O16 - DPF: {28B6A557-9584-3FA8-492E-78D57525C625} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {291E2F96-C1F7-1B1B-A19A-5A0B0DB0D20A} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2A4860D9-7576-136C-D18D-3B620D3A6506} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2B063E44-C1F7-0FBE-7DD5-448529DFB539} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2B5D3511-A371-4D78-7947-2BFD2F7BF618} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2CF374D7-8565-677B-E659-7AAF467FE496} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2D4AA9F4-4D27-3B32-3A44-0D54056888DA} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2D79B145-3A69-6C8C-1184-64BA46939FAF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2F477832-6345-1C50-DFC4-622C30A8FF00} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2F504615-499D-180F-A2FE-722418DC2EF0} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2F55807C-ADFE-173B-4DE4-089603299332} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30422B51-26E2-6A01-86F1-3E531543FCBF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3105B168-8251-415C-050A-00B16E70EB03} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {32A485A0-205E-5216-5743-11853D7D72ED} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {32AC66DD-B296-27A2-11A2-4E1465AAE47E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {336263B6-68EF-73AF-B0AE-51562D7C7440} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {34470802-49FB-092E-6347-25EE3620C13F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {35B09E62-BE0C-67A7-1747-48002A3C1233} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {36909AC7-9441-4FBB-84FE-7DF03B5AE664} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {36F04223-2A57-48B5-8C63-4A4B7CB63501} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {37666876-0B9E-275F-AB90-574A71B6C521} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {378DC331-8D35-41BF-F34D-29773151036C} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {37CD97D8-72AB-1887-B4FC-3F551B264742} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {37D37922-985B-3279-92FB-27420A913FB4} - http://64.237.60.5/1/gdnUS1210.exe
O16 - DPF: {3997257A-5F29-5912-7663-0A3355F94C6E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3A17A154-B64E-66A7-13C5-79BA399FFEE6} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3D39D993-850E-79D0-3230-334062311457} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {3EA3BE87-99CE-7875-35FC-578B4A419695} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3ED03B20-C78F-13D7-E599-34D3627630A3} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {4085323A-645D-6284-3D23-295B264553A9} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {408B9788-F28E-373C-86D9-2E6E18FA612F} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {40C74E8E-8A8C-5739-5DBA-731A10380F99} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {42FF7CC0-74F7-6D36-1145-58453B6791A2} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {43C778DB-F08A-616D-17B3-0A7667EF86B8} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {44EECA10-A549-7DE3-0DDB-4BEE476ED9C1} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {485F9E35-40DC-0E8D-0ABC-5BBF5E01B399} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {496F2A3B-F37C-7267-EB16-044B56A88D96} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {4AC8A69E-D14F-4833-7FE3-065F138EE536} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4C1C741E-7AB7-15A4-DB40-71A878C2A1ED} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4D676102-996A-7574-D1FB-4E6466688C37} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {4ED11A42-8B1A-1E45-9BC9-488E2071E31D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4F77B9AE-5D32-0A72-5F4A-0FEE680A591E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {50B6CCD8-DD62-2B42-E8D0-6F1E64EBAA2B} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {513736D6-7050-23B4-DDB1-4131747214CF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {52ABB2A2-917D-2F98-BE3D-551812195CC5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {535B31D3-E5F6-5AF1-D3E8-0DB1547EE9E0} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {54D97E54-CF81-20B3-6988-3D4B63A9D1DA} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5513E531-B333-7C14-5DDD-09064D204B63} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {555A4FBF-B4EB-47F8-39E6-78534ECD9DBA} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {562A67D1-F50F-1979-F2E2-6F2234B87CA5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5808D6CD-1E19-013B-AD8E-4C6069C834D5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {58E81570-D411-3DE0-794A-51596486269C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {59361CFD-0F50-5392-C338-0D9325A2539D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {59A59039-2DA5-3520-6B19-3E2C52FCED4A} - http://66.117.42.151/1/gdnUS243.exe
O16 - DPF: {59B1940C-751C-4F49-8E3E-59BE4B878542} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5A114274-BC9F-340F-3908-0E9D2A3874B6} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5A329DCD-6B13-468B-0A25-22D570436485} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5A9154CD-AFEB-2DC9-BC20-053C0EC42919} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5B290FA8-C865-0BFD-4322-5112182D3196} - http://66.117.42.151/1/rdgUS243.exe
O16 - DPF: {5B88FAC3-E3F5-0273-91DE-4F915E3DF7FD} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5BEA8FF2-E20C-7B80-A382-07D27C1BC72B} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5C62090C-3EBC-1E39-73AB-7C31532360BD} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5C6A1F46-7951-646B-C7BC-29EF20CE478D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5C9EDF1D-A073-2EBA-C705-783D2D801D41} - http://67.19.99.158/1/gdnUS871.exe
O16 - DPF: {5CB68E89-56EF-45A2-D8B6-7F9C2032EBB7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5EACB6FF-8F56-2F10-0182-40BE33382BD5} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5F6477AE-ACB4-1780-47B2-4EC83A903844} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5F817939-E7CC-76BF-84ED-06373E3C2865} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5FABDDD2-CB42-1819-7BC5-75063259E4B4} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6024AB49-B00F-4FC3-6642-579E0A4F49EB} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {60A124A8-CCD2-1043-8309-422C773FA7C5} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {61AD58F5-BC26-4BB8-3C82-1C127CD60FC7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {627EA5E8-068C-48D3-29B0-22350F9C2463} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {62EA709B-FC31-482B-1C6C-7FCC5F52C08C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {631E4745-C6E0-04A4-706A-4009548E72F6} - http://67.19.99.158/1/gdnUS871.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093223239812
O16 - DPF: {66BBF7C0-5C58-4EC2-3040-5DD455F917DF} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {673F7DC3-6D27-2136-E8A5-6B443E74C2DF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {693BA366-6221-3B5D-4F79-38CA4A8ADC87} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {69E5F056-FAB9-113A-E455-54937F31E899} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6A3DC106-EC60-297C-C40C-0B8B04E06F15} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6A4A7D33-C233-5A92-703F-14AB2D34B0CA} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6A4C78C6-AA42-74C5-B13A-18D4432F8373} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6AAFF6B7-4256-15A5-4CB7-30A37EF9DD64} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6BCF3712-4D67-12F7-E024-35392E86FDF8} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6D038879-E41D-7DBD-0A6D-24597292C1AC} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6D34378F-050C-041C-9EB0-42D537FE3918} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6DB697DB-F7FA-07E2-AEB3-117577976121} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6FCB1D93-2C3A-394F-E57B-40D3782B551E} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {70C55792-51F3-0864-E0F2-72B62DC64889} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {70C7CB04-2892-550C-3B58-18CA22A7714E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {70FF5EBE-7AC8-222A-B703-04AE61E123F4} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {71295326-AC78-72AE-7814-48F829D0FE1B} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {740DA3EC-F0D0-14C8-CEA6-035568678520} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {74A1CD40-9AD5-24A3-063C-2A710A39C1C7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {769E6DC5-6BBC-6080-5C28-62B30C340272} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {77352337-3CD8-0884-3FC4-628D5E62CA43} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {77C54576-4E63-5872-91B2-3309114C305E} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {780ADEFB-0464-1FED-76AE-48996EF49EB9} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {78D8F5A5-75FC-6429-ED3D-695116B3AAF9} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7ACC049A-2C3B-7FF3-A632-76262AF7F1AB} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7B59C259-40B5-1A9C-8496-60BD08F86004} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7BEBE194-8935-1880-03D3-574C4E57A5BC} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7CD3F786-A9CF-1916-75C2-2E6C334D4C17} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7DB16CF0-6404-6B55-9316-790976307F0F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7DDC41FC-21C6-2A1C-8076-07C9601FEE40} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7E1952D6-97F2-7DE6-DBD8-72BA76F07000} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7E7C90AA-7CBB-4773-E9C6-25675172A9B6} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7F46E0DB-EE4D-2A44-E925-6F20545EC8BF} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7F5649CE-41C3-45A2-F9DA-7DC07145FCD6} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7FA07F64-9AC9-1B16-72A9-3D3F22171FD6} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7FEE611D-5FFE-50C4-5DE2-297C33AED4EC} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: September 07, 2004, 03:41:20 AM »

Hi twins, the first thing I have to know
All those 016 entries that look like this
O16 - DPF: {008B6F21-3A6B-062F-EA4A-4C930254A73F} - http://66.117.42.151/1/gdnUS19.exe
are ActiveX controls
directing me to Carpathia Hosting
Do they look legitimate to you?

Could you Download GetServices.zip
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Please attach it in your reply, Simply click the "Insert File Attachment" below the reply box
Browse to getservice.txt---Right click on it and Select it
Click the Upload File
You can just Edit your reply above and attach it, I'll look for it
or if you don't see this until tomorrow,
Could you please post a Fresh hijackthis log and attach it to that reply, thanks
Logged

 
twins0810
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Bookmark and Share

View Profile
« Reply #2 on: September 07, 2004, 01:06:22 PM »

Hi Benditup,

Thanks for replying.  Those 016 entries do not look legitimate to me.  I have no idea what they are.  I am attaching the get service text document...I hope you can see it because I can't see it on mine.  Everytime I try to click on the document to open it up, I get a message saying that Windows can't fine notepad.exe?Huh?Huh??  I have had some problems over the weekend with error messages from Norton that said I had a virus named Trojan Horse6 that could not be fixed and I believe it said it was affecting notepad.exe.  However, I could open my HJT log in notepad.  I reran Norton yesterday and have not got the message since.  I'm so confused...just when I think I am really starting to understand this computer, something else happens and I realize I KNOW NOTHING!!!!  Anyway, I hope you can open this document.

Download Attachment: getservice.txt 43.8 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #3 on: September 07, 2004, 07:48:24 PM »

You have a little bit of work to do, but all is necessary in trying to get you clean, NOtepad may have been effected by this hijacker, we can deal with it later.....
Ensure you have Ad-Aware SE Personal and Spybot updated

IF you can do the next step, if not carry on
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
Name the file as fix.reg
Change the Save as Type to All Files.
Save this file on the desktop, well need this later, don't run it yet

 
quote:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]



===Create a New folder on your desktop, call it Aboutbuster
Download to desktop About:Buster
by RubbeR Ducky
Unzip it to that new folder===Run this later

You may want to print this out

RESTART your Computer in SAFE MODE

Set Windows to Show Hidden Files and Folders

===Next: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic

Find and delete these files or folders if they exist
C:\WINDOWS\system32\netro32.exe <--this file
C:\WINDOWS\System32\xtdtfn.exe <--file
C:\WINNT\hgn.exe <--file
C:\WINDOWS\system32\apilt.exe <--file

===Stay in safe mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\twdko.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\twdko.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hsklf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hsklf.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hsklf.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hsklf.dll/sp.html#29126

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EA94B086-CDBC-1A5F-231F-FB067C388DF8} - C:\WINDOWS\system32\ipgo32.dll

O4 - HKLM\..\Run: [netro32.exe] C:\WINDOWS\system32\netro32.exe
O4 - HKLM\..\Run: [ueuzurxx] C:\WINDOWS\System32\xtdtfn.exe
O4 - HKLM\..\Run: [hgn] C:\WINNT\hgn.exe

O16 - DPF: {008B6F21-3A6B-062F-EA4A-4C930254A73F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {02B5ACFD-DF64-62D8-A5E7-1C236D0F5348} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {02B955BC-AA94-51D3-F50A-555222F88AE9} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {036ED512-7BC1-18E0-D867-575F68C65F0D} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {05BC92D3-682A-0941-7012-7A18275A25E9} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0671E4AF-F515-187A-9F5F-64D65DE40A72} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {077B61F3-77E2-57C4-6AE4-5C0225DE80DD} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {07C40146-BAE8-0858-9807-5B2B3B058EF9} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {09308C12-EC2C-37AF-DDD1-1FA74C13A827} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0B28B819-BDAD-1607-1D1F-61AD3DC7D47F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {0B8ED228-9227-0783-55A7-052025D0C2F4} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0D9DEEC7-95C7-1191-AFAA-788C5288E25C} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0DD23977-DEA4-1F80-6C4F-482B7E75E428} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {0E5F3804-19EA-23F2-4481-07AE0D6ABBFB} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {0EAC8A34-1996-1245-5115-6EBD71A1DE7F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {0ED31C23-E0C7-3C83-4AF5-770504FD12EF} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {108ED0EE-C727-338C-A1D8-39C62EDB2EDD} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {11DA5609-F188-1A25-AC98-567E720C0756} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {13EAA24A-B4EC-06A9-2558-2CE0197A749C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {14A51B88-9334-149E-EDF9-3975281AC71E} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {154B5612-29A4-108C-5EC0-72D827CB4864} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {15A1AF55-FDF1-7C23-187B-7EC058B77B1F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {16BD7D54-97D9-49D4-5609-6B6A187C6AA5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {189006A1-06F5-2392-DB63-624856D7AC27} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {18C6372D-D1B1-015C-7615-4B3C68AE0284} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {19F2D382-EF13-0974-F10B-55905F4F7EF7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1A7D2A25-6FEF-5E75-8449-36BF5AD75DC4} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1B08512D-7CB8-05FB-A962-450371744A4C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1DF75730-D750-3BAC-55F5-0D247DC6CC79} - http://66.117.42.151/1/gdnUS243.exe
O16 - DPF: {1EF0830C-14A6-1D3B-86DC-1D640D291180} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {1F4D1205-6E8D-72AA-9C78-380D0289E74E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {1F8C98DB-FF71-06BC-65D4-481C2F83A0B5} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2581771B-BC12-4C64-C55F-44B336826C02} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2670C160-723E-76A5-0F22-48D6649E9845} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {26784A6A-2156-200C-098D-02B26087986F} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {26B72699-0105-0E82-F37C-364A15FC5131} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {283D77E6-9233-66A7-2765-4E1C5923E622} - http://66.117.42.151/1/gdnUS243.exe
O16 - DPF: {28B6A557-9584-3FA8-492E-78D57525C625} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {291E2F96-C1F7-1B1B-A19A-5A0B0DB0D20A} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2A4860D9-7576-136C-D18D-3B620D3A6506} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2B063E44-C1F7-0FBE-7DD5-448529DFB539} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2B5D3511-A371-4D78-7947-2BFD2F7BF618} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2CF374D7-8565-677B-E659-7AAF467FE496} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2D4AA9F4-4D27-3B32-3A44-0D54056888DA} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2D79B145-3A69-6C8C-1184-64BA46939FAF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {2F477832-6345-1C50-DFC4-622C30A8FF00} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2F504615-499D-180F-A2FE-722418DC2EF0} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {2F55807C-ADFE-173B-4DE4-089603299332} - http://66.117.42.151/1/gdnUS19.exe

O16 - DPF: {30422B51-26E2-6A01-86F1-3E531543FCBF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3105B168-8251-415C-050A-00B16E70EB03} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {32A485A0-205E-5216-5743-11853D7D72ED} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {32AC66DD-B296-27A2-11A2-4E1465AAE47E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {336263B6-68EF-73AF-B0AE-51562D7C7440} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {34470802-49FB-092E-6347-25EE3620C13F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {35B09E62-BE0C-67A7-1747-48002A3C1233} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {36909AC7-9441-4FBB-84FE-7DF03B5AE664} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {36F04223-2A57-48B5-8C63-4A4B7CB63501} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {37666876-0B9E-275F-AB90-574A71B6C521} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {378DC331-8D35-41BF-F34D-29773151036C} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {37CD97D8-72AB-1887-B4FC-3F551B264742} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {37D37922-985B-3279-92FB-27420A913FB4} - http://64.237.60.5/1/gdnUS1210.exe
O16 - DPF: {3997257A-5F29-5912-7663-0A3355F94C6E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3A17A154-B64E-66A7-13C5-79BA399FFEE6} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3D39D993-850E-79D0-3230-334062311457} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {3EA3BE87-99CE-7875-35FC-578B4A419695} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {3ED03B20-C78F-13D7-E599-34D3627630A3} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {4085323A-645D-6284-3D23-295B264553A9} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {408B9788-F28E-373C-86D9-2E6E18FA612F} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {40C74E8E-8A8C-5739-5DBA-731A10380F99} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {42FF7CC0-74F7-6D36-1145-58453B6791A2} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {43C778DB-F08A-616D-17B3-0A7667EF86B8} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {44EECA10-A549-7DE3-0DDB-4BEE476ED9C1} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {485F9E35-40DC-0E8D-0ABC-5BBF5E01B399} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {496F2A3B-F37C-7267-EB16-044B56A88D96} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {4AC8A69E-D14F-4833-7FE3-065F138EE536} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4C1C741E-7AB7-15A4-DB40-71A878C2A1ED} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4D676102-996A-7574-D1FB-4E6466688C37} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {4ED11A42-8B1A-1E45-9BC9-488E2071E31D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {4F77B9AE-5D32-0A72-5F4A-0FEE680A591E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {50B6CCD8-DD62-2B42-E8D0-6F1E64EBAA2B} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {513736D6-7050-23B4-DDB1-4131747214CF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {52ABB2A2-917D-2F98-BE3D-551812195CC5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {535B31D3-E5F6-5AF1-D3E8-0DB1547EE9E0} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {54D97E54-CF81-20B3-6988-3D4B63A9D1DA} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5513E531-B333-7C14-5DDD-09064D204B63} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {555A4FBF-B4EB-47F8-39E6-78534ECD9DBA} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {562A67D1-F50F-1979-F2E2-6F2234B87CA5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5808D6CD-1E19-013B-AD8E-4C6069C834D5} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {58E81570-D411-3DE0-794A-51596486269C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {59361CFD-0F50-5392-C338-0D9325A2539D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {59A59039-2DA5-3520-6B19-3E2C52FCED4A} - http://66.117.42.151/1/gdnUS243.exe
O16 - DPF: {59B1940C-751C-4F49-8E3E-59BE4B878542} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5A114274-BC9F-340F-3908-0E9D2A3874B6} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5A329DCD-6B13-468B-0A25-22D570436485} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5A9154CD-AFEB-2DC9-BC20-053C0EC42919} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5B290FA8-C865-0BFD-4322-5112182D3196} - http://66.117.42.151/1/rdgUS243.exe
O16 - DPF: {5B88FAC3-E3F5-0273-91DE-4F915E3DF7FD} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5BEA8FF2-E20C-7B80-A382-07D27C1BC72B} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5C62090C-3EBC-1E39-73AB-7C31532360BD} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5C6A1F46-7951-646B-C7BC-29EF20CE478D} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5C9EDF1D-A073-2EBA-C705-783D2D801D41} - http://67.19.99.158/1/gdnUS871.exe
O16 - DPF: {5CB68E89-56EF-45A2-D8B6-7F9C2032EBB7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5EACB6FF-8F56-2F10-0182-40BE33382BD5} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {5F6477AE-ACB4-1780-47B2-4EC83A903844} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5F817939-E7CC-76BF-84ED-06373E3C2865} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {5FABDDD2-CB42-1819-7BC5-75063259E4B4} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6024AB49-B00F-4FC3-6642-579E0A4F49EB} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {60A124A8-CCD2-1043-8309-422C773FA7C5} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {61AD58F5-BC26-4BB8-3C82-1C127CD60FC7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {627EA5E8-068C-48D3-29B0-22350F9C2463} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {62EA709B-FC31-482B-1C6C-7FCC5F52C08C} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {631E4745-C6E0-04A4-706A-4009548E72F6} - http://67.19.99.158/1/gdnUS871.exe
http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {673F7DC3-6D27-2136-E8A5-6B443E74C2DF} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {693BA366-6221-3B5D-4F79-38CA4A8ADC87} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {69E5F056-FAB9-113A-E455-54937F31E899} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6A3DC106-EC60-297C-C40C-0B8B04E06F15} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6A4A7D33-C233-5A92-703F-14AB2D34B0CA} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6A4C78C6-AA42-74C5-B13A-18D4432F8373} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6AAFF6B7-4256-15A5-4CB7-30A37EF9DD64} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6BCF3712-4D67-12F7-E024-35392E86FDF8} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6D038879-E41D-7DBD-0A6D-24597292C1AC} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6D34378F-050C-041C-9EB0-42D537FE3918} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {6DB697DB-F7FA-07E2-AEB3-117577976121} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {6FCB1D93-2C3A-394F-E57B-40D3782B551E} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {70C55792-51F3-0864-E0F2-72B62DC64889} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {70C7CB04-2892-550C-3B58-18CA22A7714E} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {70FF5EBE-7AC8-222A-B703-04AE61E123F4} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {71295326-AC78-72AE-7814-48F829D0FE1B} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {740DA3EC-F0D0-14C8-CEA6-035568678520} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {74A1CD40-9AD5-24A3-063C-2A710A39C1C7} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {769E6DC5-6BBC-6080-5C28-62B30C340272} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {77352337-3CD8-0884-3FC4-628D5E62CA43} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {77C54576-4E63-5872-91B2-3309114C305E} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {780ADEFB-0464-1FED-76AE-48996EF49EB9} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {78D8F5A5-75FC-6429-ED3D-695116B3AAF9} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7ACC049A-2C3B-7FF3-A632-76262AF7F1AB} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7B59C259-40B5-1A9C-8496-60BD08F86004} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7BEBE194-8935-1880-03D3-574C4E57A5BC} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7CD3F786-A9CF-1916-75C2-2E6C334D4C17} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7DB16CF0-6404-6B55-9316-790976307F0F} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7DDC41FC-21C6-2A1C-8076-07C9601FEE40} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7E1952D6-97F2-7DE6-DBD8-72BA76F07000} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7E7C90AA-7CBB-4773-E9C6-25675172A9B6} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7F46E0DB-EE4D-2A44-E925-6F20545EC8BF} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7F5649CE-41C3-45A2-F9DA-7DC07145FCD6} - http://66.117.42.151/1/gdnUS19.exe
O16 - DPF: {7FA07F64-9AC9-1B16-72A9-3D3F22171FD6} - http://66.117.42.151/1/rdgUS19.exe
O16 - DPF: {7FEE611D-5FFE-50C4-5DE2-297C33AED4EC} - http://66.117.42.151/1/gdnUS19.exe


After you have FIX CHECKED and close hijackthis
Navigate to About:buster you unzipped earlier
===Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.
Scan a second time if prompted. Then hit exit

Do a DiskCleanup>>START----Run---type in cleanmgr
Ensure that Temp and Temporary Internet Files are checked

===Double click on reg.fix that you saved earlier to desktop
and Allow it to merge to the Registry, do this if you were able too open Notepad earlier

===RESTART back in Normal mode
Open Ad-Aware and do a Full System Scan---Remove all Critical Objects
Open Spybot and Check For Problems---Fix Everything in RED
RESTART your computer again to finish the cleaning process


NOTE:
A few files may have been deleted by the hijacker
hosts
Download the The Hoster
Unzip it to a folder, Open it, Press "Restore Original Hosts" and press "OK". Exit Program. Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

Control.exe Look in your C:\WINDOWS\SYSTEM32 folder for it
If it's not there we can easily replace it...

If you have Spybot S&D 1.3 installed
See if the SDHelper.dll file is missing,
Normally Spybot is installed in this directory
C:\Program Files\Spybot - Search & Destroy
If missing, download sdhelper13.zip
Save the Zip file to your desktop and Unzip it to your C:\Program Files\Spybot - Search & Destroy folder


RESTART your computer again when you are done

When your all done can you post back a Fresh hijackthis log and also post the About:buster logs, thanks
Logged

 
twins0810
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Bookmark and Share

View Profile
« Reply #4 on: September 08, 2004, 02:18:42 AM »

Thanks for all the instructions...here is what has happened so far:  

I followed step by step and have a few questions...

1.  Find and delete these files or folders if they exist
C:\WINDOWS\system32\netro32.exe <--this file
C:\WINDOWS\System32\xtdtfn.exe <--file
C:\WINDOWS\system32\apilt.exe <--file
I found these files in WINDOWS\Prefetch and I deleted them....is this right??

2.  I downloaded "The Hoster", but when I tried to "restore original hosts"  it told me my file access was denied.

3.  I can't find Control.exe in Windows\system 32....but when I try to do a search for it, or a search for anything, by using start..search..my computer freezes up...Huh?Huh?Huh?

4.  After following all the instructions, when I click on IE, it first tries to go to comcast.net (my home page) and then I get a message that says Action Cancelled...and it automatically goes to www.ssearch.biz/?wmid=1010...(which is still the same problem I was having before).  

I am attaching my logs from HJT...and About Buster.....in a seperate reply...because stupid me forgot to run them!!!!!!!

thanks
Logged

 
twins0810
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Bookmark and Share

View Profile
« Reply #5 on: September 08, 2004, 02:37:41 AM »

okay...here are my logs for HJT and About Buster...
Thanks!!!!

Download Attachment: AB LogFile.txt 896 Bytes
Right click and select Save Target As... then rename the file as shown here and save.


I am just going to copy and paste my HJT log...because it's not letting me upload with the .log extension.  

Logfile of HijackThis v1.98.2
Scan saved at 10:34:27 PM, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Help - {60BA2A89-51FD-43E4-A072-23E74D5D4C2C} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {8A760511-1030-4FDB-8C8F-50E3C39EBDDF} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {8CD6C7B5-5AD9-433B-A126-5F6C477BF15E} - http://www.comcastsupport.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093223239812
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: September 08, 2004, 03:42:19 AM »

Not too sure what's going on at your side Twins
You first ran Hijackthis from this location
C:\Hijack This\HijackThis.exe
and now your running from this location
C:\Documents and Settings\Owner\Local Settings\Temp\HijackThis.exe

Please don't run it from your Temp folder
If you do a DiskCleanup backups will be lost

Open Hijackthis from this location
C:\Hijack This\HijackThis.exe
You can have Hijackthis fix these entries
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [RecoverFromReboo] C:\WINDOWS\Temp\RECOVE~1.EXE
O9 - Extra button: Help - {60BA2A89-51FD-43E4-A072-23E74D5D4C2C} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {8A760511-1030-4FDB-8C8F-50E3C39EBDDF} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Support - {8CD6C7B5-5AD9-433B-A126-5F6C477BF15E} - http://www.comcastsupport.com (file missing) (HKCU)

RESTART your computer

It's okay too remove the entries from the Prefetch folder
but please check again in this directory
C:\WINDOWS\System32 <--look in this folder

Actually go back and Reread everything I outlined
I asked you too print it out
because any step missed may allow for reinfection
I can't see anything in your log that really looks bad anymore

Concerning your Control.exe file, I've uploaded a file called
Control-XPsp1, could you save it to your desktop and UNZIP it to your
C:\WINDOWS\system32 folder, allow to overwrite if prompted

Does Notepad work properly now?Huh??

===Open Hijackthis>>>>Config>>>Misc Tools>>>Open Hosts File Manager>>>Click "Open in Notepad"
Can you copy and Paste the WHOLE contents of the Notepad back here
If that doesn't work
Navigate to this Directory
C:\WINDOWS\SYSTEM32\DRIVERS\ETC open up the ETC folder
look for HOSTS file (no extension) Open it up with Notepad
Copy and paste the contents here
Could you also Right click on HOSTS---left click properties
Do you have a check in READ ONLY?

Did you look for that file for Spybot?

You should go do an ONLINE virus scan at
Housecall's----set it to autoclean
http://housecall.trendmicro.com/
and
Panda's Active Scan
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Remember to Post back with a Fresh hijackthis log and the Hosts contents
Keep me informed of exactly you were able to accomplish

Download Attachment: control_xpsp1.zip 3.78 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
twins0810
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Bookmark and Share

View Profile
« Reply #7 on: September 08, 2004, 11:55:17 PM »

Hi Benditup.....Here is my progress so far:

I physically looked for those files in Windows\System32 and cannot find them.  I have also done a search for them and only came up with the ones in Prefetch (which I have already deleted).  However, when I ran About:Busters, I clearly saw it scanning the file Netro32.exe in System 32.  

I have followed every step so far in all of your instructions. I have printed everything out and checked and double checked everything.  

I thought notepad was working correctly, but when I tried to open the hosts file in the ETC folder, I got the message "Cannot open file.  Windows needs to know what program created it" and when I select use web service to find appropriate program, all I get is the about:blank page.  So I did it the other way you mentioned, and here is what was in the notepad:  
Well, I just tried to open it from notepad where I saved it, and I get the message that Windows cannot find the file notepad.exe.  If I remeber correctly, it just had some numbers in it.  And there is a check mark in READ ONLY.  

I looked for the help file in Spybot, and it is there.  

I did a virus scan with Housecall....and pandasoftware.com.....housecall said I had 23 infected files that could not be cleaned...most of them named Trojan Horse...and here is my report from pandasoftware:
Again, same thing is happening.  I saved the report, and now windows is telling me that it cannot find the file notepad.exe.  And again if I remeber correctly, there were alot of infected files that said they could not be cleaned/fixed...most of which were the Trojan Horse.  Then again today, I got a message from Norton Anti-Virus saying that I have a Trojan Horse virus, and it cannot be cleaned, and access to the file is denied.  

I'm so confused!!!!  I don't know what is wrong with my computer.  My husband can go on his screenname and open his IE and it goes right to comcast.net.  But his screenname was the one that had first had the problems before mine did.  I also think that the virus scans showed that the virus was in my documents and settings folder\temp files.....I have cleaned out all my temporary files many times today just to make sure.  

Is there anything else I can do???  Could all of this have started from my reinstalling windows a couple weeks ago??  After I reinstalled, I went 2 days without a firewall.  I have never had problems like this before that.  

I am also attaching my latest hijack this log.  I have it up in notepad right now and I haven't closed it yet, so I am just going to copy and paste it, because it seems as if I can see these reports as they are saved in notepad, but it's when I go to reopen them that I keep getting that message that windows can't find notepad.exe.  
Logfile of HijackThis v1.98.2
Scan saved at 7:32:26 PM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093223239812
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Any help you can give me, I would greatly appreciate.  
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #8 on: September 09, 2004, 12:45:43 AM »

OK twins, your log file looks ok, let's hope we can get the rest I can't see
Navigate to this directory
C:\WINDOWS\SYSTEM32\DRIVERS\ETC --- open it---Right click on HOSTS
Left click Properties and take the check out of READ ONLY
Now try and use Hoster to Restore Original Hosts

I'm uploading a file called notepad_xp.zip
Save it to your desktop
Unzip it to your C:\WINDOWS folder
and C:\WINDOWS\System32 folder
Allow to overwrite if prompted

Does Notepad work Properly now

You may have to disable system Restore if some bad files are found
in your System Volume Information folder
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

RESTART your computer into SAFE MODE
and try deleting those files found infected
If your not sure of the names you will have to rescan at Housecall's at take note

You may have to take ownership of the files
If you have XP PRO

Open Windows Explorer>>>>Folder Options>>>View
Scroll to the bottom of the list to find the box labeled:
Use Simple File Sharing(Recommended)
Remove the check from that box and press ok.
If you have XP Home you won't have this option

Right click on a file
use the security tab on a file and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename a file
eg...nojustice.exe>>>nojustice.txt

If your formatted in FAT32---Right click on the file--left click properties----take the check out of READ ONLY if it is checked

Hijackthis has a Delete file on Reboot feature but I will have to know the name of the files and directories......


Download Attachment: notepad_xp.zip 35.36 KB
Right click and select Save Target As... then rename the file as shown here and save.
Logged

 
twins0810
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Female
Posts: 6


Bookmark and Share

View Profile
« Reply #9 on: September 09, 2004, 06:21:22 PM »

Hi Benditup,

 I think I am all set now...let's hope!!!  Notepad is working properly since I downloaded the file.  

I tried to delete the files manually, but I kept getting a message that said the access to the file was denied.  What I wound up doing was using EastCoastEraser 2004 to permanently delete the files.  

The only thing I haven't been able to do was Restore Original Hosts.  I removed the READ ONLY check....but when i went back to hoster, it still told me access was denied.  

But thankfully, my IE is no longer going to About:Blank.  I have Norton Anti-Virus, and I am only using the ICF in Windows.  Would you suggest and additonal firewall like ZAP or McAfee...or anything else you would suggest for added protection to my PC, I would appreciate your input.  

Thank you so much for all of your help and quick replies.  I will certaintly be letting my friends know of this great resource!!
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 12, 2017, 04:22:18 PM