MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: mypoiskovik!!
September 18, 2019, 06:06:17 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
September 18, 2019, 06:06:17 AM

Login with username, password and session length
 
News
Welcome to MyTechSupport.ca! - Registration is FREE, so why not join our friendly community today?
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: mypoiskovik!!  (Read 1415 times)
brodieman214
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« on: September 08, 2004, 01:39:12 AM »

Hoo boy this one has got me pretty miffed any help would be greatly aprreciated. I have already run cwshredder and spybot s and d.

Logfile of HijackThis v1.98.2
Scan saved at 9:16:07 PM, on 9/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ewinmklx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Vanessa\Application Data\eare.exe
C:\WINDOWS\System32\rjerm.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\Documents and Settings\Vanessa\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tqivu.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {50838896-9654-6D5F-8DD1-DC592611A0D7} - C:\WINDOWS\system32\apihm.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pwbzzejtuwun] C:\WINDOWS\System32\ewinmklx.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Diow] C:\Documents and Settings\Vanessa\Application Data\eare.exe
O4 - HKCU\..\Run: [Fwevj] C:\WINDOWS\System32\rjerm.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094346883222


« Last Edit: September 08, 2004, 02:05:37 PM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #1 on: September 08, 2004, 05:54:17 PM »

Looking at your log now Brodie, I'll post back in a bit
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #2 on: September 08, 2004, 06:13:30 PM »

Hi brodieman,
I want to make sure that you have the latest version of CWSHREDDER
You can download it from
HERE
Save it to your desktop, we'll need it later

Could you also Create a New folder on your desktop, call it Aboutbuster
Download to desktop About:Buster
by RubbeR Ducky
Unzip it to that new folder===Run this later

Your running Hijackthis from your Temp folder
Important---Create a permanent folder hijackthis
EG---- Open MyDocuments----Right click an empty spot and select NEW---Folder----Name the new folder HJT
OR create a folder as C:\HJT---this is where you will want to save Hijackthis too, also, backups will be stored there.
redownload from
HERE or HERE
Choose Save to Disk Rather than OPEN

Set Windows to Show Hidden Files and Folders

RESTART your Computer in SAFE MODE

Navigate to these files or folders and delete them if they exist
C:\WINDOWS\System32\rjerm.exe <--this file
C:\WINDOWS\System32\ewinmklx.exe <--this file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe <-this file, DON'T delete winlogon in a different directory

C:\Documents and Settings\Vanessa\Application Data\eare.exe <--file

===Stay in Safe mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tqivu.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {50838896-9654-6D5F-8DD1-DC592611A0D7} - C:\WINDOWS\system32\apihm.dll (file missing)

O4 - HKLM\..\Run: [pwbzzejtuwun] C:\WINDOWS\System32\ewinmklx.exe
O4 - HKCU\..\Run: [Diow] C:\Documents and Settings\Vanessa\Application Data\eare.exe
O4 - HKCU\..\Run: [Fwevj] C:\WINDOWS\System32\rjerm.exe
O4 - Global Startup: winlgn.exe

O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com


After you have FIX CHECKED and close Hijackthis
Open up Just CWShredder and let it FIX all problems

Next open up About:buster you unzipped earlier
===Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Let it finish and then scan a second time. Then hit exit

===RESTART back in Normal Mode
Download and Install the free version of Ad-Aware
After installation-CHECK FOR UPDATES
Do A Full System Scan---Remove all Critical Objects
RESTART your computer to finish the cleaning process

POST back with a Fresh hijackthis log

Could you also open up your Spybot folder
Normally Spybot is installed in this directory
C:\Program Files\Spybot - Search & Destroy
See if the SDHelper.dll file is missing, if not present we will
want to replace it

Open Hijackthis>>>>Config>>>Misc Tools>>Open Hosts File Manager>>
Click "Open in Notepad" Post back the Whole contents of notepad in your reply with the Hijackthis log too

Could you also Download GetServices.zip
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Please attach it in your reply, Simply click the "Inser File Attachment" below the reply box
Browse to getservice.txt---Right click on it and Select it
Click the Upload File

I would also like to see the About:buster logs if you can post them in your reply too, thanks

RECAP---do the above steps
Post back with a Fresh hijackthis log, About:buster logs
Contents of notepad from Hosts file manager
Let me know if sdhelper.dll is missing
Attach GetServices.txt file
Logged

 
brodieman214
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #3 on: September 09, 2004, 12:10:28 AM »

Well here is the updated HJT log.  Let me know if you see anything there that does not belong.

Logfile of HijackThis v1.98.2
Scan saved at 7:58:56 PM, on 9/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Vanessa\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #4 on: September 09, 2004, 12:25:12 AM »

Well, OK, I say it looks good
But you managed to only the remove entries with hijackthis and didn't follow
any other steps I outlined
So, I guess, I'll have to say I hope you stay clean

Still running hijackthis from that temp directory..... I hope you don't lose your backups....
Logged

 
brodieman214
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #5 on: September 11, 2004, 04:49:55 AM »

BENDITUP: Thanks for taking the time to help me out.  I followed your directions as best I could (I haven't slept all week and this computer problem isn't making things any easier).  Here is the newiest in new HJT log, as well as the AB log.  Please look them over and get back to me.  Thanks again!

Logfile of HijackThis v1.98.2
Scan saved at 12:45:41 AM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\hhms.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\NOMAD Jukebox 2\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\system32\winmm64.exe
C:\WINDOWS\system32\sysy.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
c:\documents and settings\vanessa\local settings\temp\fsg_4104.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Vanessa\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=n-ex
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://s-redirect.com/?b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=n-ex
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [hhms] C:\WINDOWS\hhms.exe
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\vanessa\local settings\temp\fsg_4104.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 2\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe
O4 - HKCU\..\Run: [SpywareGuardPlus] C:\WINDOWS\system32\winmm64.exe
O4 - HKCU\..\Run: [hhms] C:\WINDOWS\hhms.exe
O4 - HKCU\..\Run: [sysy] C:\WINDOWS\system32\sysy.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094346883222

Scanned at: 12:30:30 AM   on: 9/11/2004


-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #6 on: September 11, 2004, 05:28:42 AM »

Things just went from bad to Worse
Now you went and installed the free version of Kazaa and all of it's bundled spyware, bet ya the computer got a little slower

Let's get that uninstalled first and find you a spyware free one later

I need you to follow along however, I asked for a Getservices.txt log that you didn't supply... Go back and read the post and upload that log
please.......

But first.....Ensure that you install Ad-Aware from that link I supplied
After installation----CHECK FOR UPDATES
We'll run this later
Open Spybot and SEARCH FOR UPDATES---run this later

Set Windows to Show Hidden Files and Folders

Do as much of this as you can and then post back
You may want to print this out
Disconnect from the Internet(Close all browsers)

Open Hijackthis>>>>>Config>>>Misc Tools>>>>Open Process Manager
Kill these processes
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\WINDOWS\hhms.exe
C:\WINDOWS\system32\winmm64.exe
C:\WINDOWS\system32\sysy.exe
c:\documents and settings\vanessa\local settings\temp\fsg_4104.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe

NEXT: Access your Add/Remove Programs via Control Panel and Remove
Kazaa Media Desktop
P2P Networking and Altnets


Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed
Including this one

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=n-ex
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://s-redirect.com/?b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=n-ex
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://s-redirect.com/?a=2&b=n-ex
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s

O4 - HKLM\..\Run: [hhms] C:\WINDOWS\hhms.exe
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\vanessa\local settings\temp\fsg_4104.exe"

O4 - HKCU\..\Run: [cvchost] c:\windows\svchost.exe
O4 - HKCU\..\Run: [SpywareGuardPlus] C:\WINDOWS\system32\winmm64.exe
O4 - HKCU\..\Run: [hhms] C:\WINDOWS\hhms.exe
O4 - HKCU\..\Run: [sysy] C:\WINDOWS\system32\sysy.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


RESTART your Computer in SAFE MODE

Find and delete these files or folders if they exist
C:\WINDOWS\hhms.exe <--this file
c:\documents and settings\vanessa\local settings\temp\fsg_4104.exe" <--file
C:\WINDOWS\system32\winmm64.exe <--file
C:\WINDOWS\system32\sysy.exe <--file

c:\windows\svchost.exe <--this file, DON'T delete svchost.exe
in the System32 folder..........

C:\Program Files\Common files\updmgr <--this folder
C:\Program Files\Altnet <--folder
C:\WINDOWS\System32\P2P Networking <--folder

Do a DiskCleanup>>START----Run---type in cleanmgr
Ensure that Temp and Temporary Internet Files are checked

RESTART back in Normal Mode
Open Ad-Aware-----Do a Full System Scan and remove all critical objects
Open Spybot---check for problems---Fix Everything in RED

RESTART your computer to Finish the cleaning

Post back with a Fresh Hijackthis log
Could you also supply me with that GetServices.txt

And one more thing
Could you also Download DLLCompare


Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button


Post the dllcompare log too, thanks.....
Logged

 
brodieman214
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #7 on: September 11, 2004, 05:43:03 AM »

Ok let me get to work.  I will reply back soon.  Thanks again for your patience!
Logged

 
brodieman214
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 7


Bookmark and Share

View Profile
« Reply #8 on: September 11, 2004, 06:44:03 AM »

Alright here is the info you asked for:

HJT
Logfile of HijackThis v1.98.2
Scan saved at 2:33:21 AM, on 9/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\NOMAD Jukebox 2\PlayCenter2\CTNMRUN.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Documents and Settings\Vanessa\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 2\PlayCenter2\CTNMRUN.EXE"
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094346883222

Buster:
-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 3.0
Reference List : 15

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!



And DLL:
*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found Smiley"
________________________________________________

1,145 items found:  1,145 files, 0 directories.
Total of file sizes:  202,792,767 bytes    193.39 M

Administrator Account =  True

--------------------End log---------------------


Download Attachment: New Text Document.txt 42.26 KB
Right click and select Save Target As... then rename the file as shown here and save.

Edited this to attach the Getservices.txt
« Last Edit: September 11, 2004, 07:12:36 AM by benditup » Logged

 
benditup
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 2105


Bookmark and Share

View Profile
« Reply #9 on: September 11, 2004, 07:21:55 AM »

That's looking better brodieman, how's everything running

Optionally, you can have Hijackthis fix this entry, it's not needed on
startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

If you don't need the Kodak Software Updater running on startup
It can be disabled within the program itself
http://faqs.kodak.com/EasyShare_Software_English/FAQ_7_841.shtm

If everything is running better, you should Flush out your Restore Points
Simply Disable System Restore---Restart your computer---enable system restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

I noticed that Messenger is running in your GetServices.txt
This can cause popups, even with your browser closed
Most have it disabled
Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Messenger

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic
You can do the same for Alerter too

You should install these 2 apps., they add extra security while
silently protecting you, without running in the background

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==http://www.bleepingcomputer.com/forums/index.php?showtutorial=53
Download link==https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
Scroll down and click on IE-SPYAD.EXE Free!

With both, Check for updates every couple of weeks
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 08, 2017, 12:35:13 AM