MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Started with about:blank and has now escalated...
July 22, 2019, 01:00:56 PM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
July 22, 2019, 01:00:56 PM

Login with username, password and session length
 
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Started with about:blank and has now escalated...  (Read 1093 times)
Haxaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 19


Bookmark and Share

View Profile
« on: November 02, 2004, 03:12:47 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows 98 SE
Problem Application Name & Version: IE 6.0.2800.1106
Problem Hardware Make & Model: N/A
Error Messages: N/A



Hello everyone,

This is the HiJackThis log from my friends computer who knows almost nothing about computers.  He had a problem with about:blank but that has now escalated to include p*rn and ad software that I can't seem to get rid of for him.  Please help!
Thank you in advance,
Haxaw.

Logfile of HijackThis v1.98.2
Scan saved at 9:57:27 AM, on 02/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\WINDOWS\SYSTEM\SYSTIME.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.terra.es/personal8/robrimer/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.terra.es/personal8/robrimer/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.terra.es/personal8/robrimer/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.182:6588
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {0AEFFBC1-0271-11D9-9747-00C0DD97DA75} - C:\WINDOWS\SYSTEM\DNOFKL.DLL
O2 - BHO: (no name) - {81F07598-5979-7468-634B-57A677138290} - (no file)
O2 - BHO: (no name) - {988013BE-7AB7-48f4-992E-44C309D65A48} - C:\WINDOWS\SYSTEM\nlsman.dll
O2 - BHO: (no name) - {48AC355A-E318-7BC3-8753-60550DF27F45} - C:\WINDOWS\SYSTEM\EEOSS.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [ngwtnhofgb] C:\WINDOWS\SYSTEM\luawli.exe
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Nrae] C:\WINDOWS\Application Data\aatt.exe
O4 - HKCU\..\Run: [Fxn] C:\WINDOWS\SYSTEM\ancpanh.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {770C0A54-BEAF-05F6-1701-7C0E1A129FF5} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {4B41E78B-9FF8-5C39-D22A-6A1356713E9C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {3B18FAFE-6703-4F8E-B22E-07CD252C3EFD} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {41028D84-3BC0-7B52-93F0-65F711F75E6A} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {792B76FB-4146-0B2A-F689-695A4883147A} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {31C5C08F-0189-436C-DAAE-3038091399E7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {20747446-BAF0-7BBC-DD46-03C30EFAA36C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {25F7D2F9-5248-4AF0-6062-715B545BA5D3} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2259DD23-DA7E-2B3C-246D-0C247D36710F} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {751B14DF-D8AB-5965-4C8B-02DD42E0B019} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2B0E3AAD-76DC-5294-C644-51001260E53C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {581BA1D0-8ADB-188A-4EA9-26484E093EA6} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5FA077E2-D50F-4E15-3E02-46363D0B97F4} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {22FA2172-18D7-6AF6-83CF-38E60E870C77} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {736BFA08-F848-541B-4E34-613B5E8A8EB1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {014B11DD-7F7C-3EF7-A4A0-4FA05237A770} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {57FE54A9-6604-3B29-4516-26E82F2236EB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {57A57B1D-208E-6FA5-DE3F-10B1211494C8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {6A416375-C22E-23BF-3BDF-5CE4784103BB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {71E0C75D-FBE2-2EBA-22B9-088D464AF15B} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1871009B-371A-3CB8-0EF3-35E11BFEF223} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {00101245-A040-7B29-BFD4-0AB5207D1B38} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {51BEC7D8-97CC-2235-BBFB-05E217AEC5F8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {23C46787-9602-3ACA-7C45-53AC6E668968} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {0401889D-F3BE-2632-40B6-34E5380E89F3} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {3B3915A3-6CF6-0FBD-B863-1EAF268672B7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {16920C80-8487-7C02-C3B6-4D220D5C97A7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {00F97C19-2906-1305-136D-47595BCCED1D} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1A7E071D-9FD2-0997-75CD-3F5A6C1C0116} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {7BB3FA01-CEF5-19D4-73DD-01FF74B292F1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1EB2B621-D5E6-48D1-2C76-15027941ED57} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {69802AE9-AC77-7974-618A-7DDA48194635} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5D8273C4-24B9-75C1-A6D7-761627EC1ADB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {07608D75-E0FE-1E0B-F6D4-67047F060B00} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {628D3FDF-700E-0A0E-278F-688A3D1EAD40} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5899843E-AF97-7FB0-4CA1-259570CA5C4C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {39AD7B56-0790-7A43-A41E-1A097532D6E2} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {183E7F22-0CB0-2CAA-196E-2FFB64657B39} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {4CA9B6E7-05B6-47B4-3F49-228C1540241C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {52475F2A-6D58-7707-A243-44266BDCCCC2} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {52F6CA4F-9769-4B8D-1BF9-25AE30A8ADEE} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {53B893FA-EAC9-0D31-8788-22DF7966AFF4} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {78B68D5E-3617-2311-88CE-6EF77A06D16B} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {04EB4861-17EB-193D-7EF0-3F1B3444ABC7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2FE1491E-1022-53D9-E07E-6F0E7035C375} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {401B8DCA-6C87-45CA-5ED7-03FE1BFDDBFB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {283FA788-22D6-3105-74BA-093364D6844C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1878E20A-DBAA-043F-377A-537A03E3C7E5} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {51B8A553-CEE7-63F4-2D8B-1546029E8AD7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2D1A28F2-271F-5285-DFFD-48EB24CA797C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {73DF4879-57D6-7C42-3269-57FC066ACFDD} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1F71C336-973E-51E4-A88B-5EDF0658FD39} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {64D743E5-7F3C-1016-1DAA-2825764E494E} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {072FC338-07B6-527D-894E-33301AC82B27} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {0CC18F41-55FE-70A6-DAE8-5FD063A13FEB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {7461CAE8-C4D6-1675-6D99-3F4755B2451D} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {35801529-BC34-16C1-D787-1D776756D826} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=2bda0e8d0b400d047a0900ff439cca7d6a020d6cf16536241204cfe08c882945c1b639da0c5f43ea407ea4f14e5e21ea27e0f2a3e3466b79e53516041838f67673:9a90ad32a98a08d26e670f291c7a5c2c
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRAM FILES\COMMON FILES\REPRO DESK\PMPROTOCOL.DLL
O18 - Filter: text/html - {0AEFFBC0-0271-11D9-9747-00C0B2DB7FEE} - C:\WINDOWS\SYSTEM\DNOFKL.DLL
O18 - Filter: text/plain - {0AEFFBC0-0271-11D9-9747-00C0B2DB7FEE} - C:\WINDOWS\SYSTEM\DNOFKL.DLL

Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #1 on: November 03, 2004, 12:09:00 AM »

Please download and run the following programs:

AD-AWARE

Install the program and launch it.

First, in the bottom right-hand corner of the main window
click on Check for updates now then click Connect and download
the latest reference files.

Then, in the main window: Click Start and under Select
 a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal
and get rid of it. (Right-click the window and choose select
all from the drop down menu and then click Next)

Restart your computer.


SPYBOT SEARCH & DESTROY


Open Spybot Search & Destroy (Click Start, Programs,
Spybot S&D (Advanced Mode). Click online, Search for updates,
Download all available updates. Close all Browser windows,
Click ''Check for Problems''. Anything that needs to be fixed
it will show in red and have a green check in the box to the left.
Click ''Fix Selected Problems'', Then restart your computer.

Run hijack this and post a new log

« Last Edit: November 09, 2004, 12:32:08 PM by jvic » Logged

John Vickers
Haxaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 19


Bookmark and Share

View Profile
« Reply #2 on: November 04, 2004, 03:37:34 PM »

Thank you for your quick response and sorry about the delay on my response.  I had some problems.  I had to perform the Ad Aware/Spybot proceedure you recommended twice because the first time I got error messages and system hangs. Ad Aware SE (I had been using Ad Aware 6 but upgraded) keeps hanging during the "deleting" portion of the quarentine proceedure. Spybot seemed to work fix everything the second time around but both times when it is finished and I try to launch windows explorer I get an error message that says that there is a problem with IE and that it has to be shutdown. Thing is, IE isn't running...

Anyway, here is the latest HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 10:18:09 AM, on 04/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.182:6588
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {0AEFFBC1-0271-11D9-9747-00C0DD97DA75} - C:\WINDOWS\SYSTEM\DNOFKL.DLL
O2 - BHO: (no name) - {81F07598-5979-7468-634B-57A677138290} - (no file)
O2 - BHO: (no name) - {988013BE-7AB7-48f4-992E-44C309D65A48} - C:\WINDOWS\SYSTEM\nlsman.dll
O2 - BHO: (no name) - {48AC355A-E318-7BC3-8753-60550DF27F45} - C:\WINDOWS\SYSTEM\EEOSS.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Nrae] C:\WINDOWS\Application Data\aatt.exe
O4 - HKCU\..\Run: [Fxn] C:\WINDOWS\SYSTEM\ancpanh.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {770C0A54-BEAF-05F6-1701-7C0E1A129FF5} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {4B41E78B-9FF8-5C39-D22A-6A1356713E9C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {3B18FAFE-6703-4F8E-B22E-07CD252C3EFD} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {41028D84-3BC0-7B52-93F0-65F711F75E6A} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {792B76FB-4146-0B2A-F689-695A4883147A} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {31C5C08F-0189-436C-DAAE-3038091399E7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {20747446-BAF0-7BBC-DD46-03C30EFAA36C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {25F7D2F9-5248-4AF0-6062-715B545BA5D3} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2259DD23-DA7E-2B3C-246D-0C247D36710F} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {751B14DF-D8AB-5965-4C8B-02DD42E0B019} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2B0E3AAD-76DC-5294-C644-51001260E53C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {581BA1D0-8ADB-188A-4EA9-26484E093EA6} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5FA077E2-D50F-4E15-3E02-46363D0B97F4} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {22FA2172-18D7-6AF6-83CF-38E60E870C77} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {736BFA08-F848-541B-4E34-613B5E8A8EB1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {014B11DD-7F7C-3EF7-A4A0-4FA05237A770} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {57FE54A9-6604-3B29-4516-26E82F2236EB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {57A57B1D-208E-6FA5-DE3F-10B1211494C8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {6A416375-C22E-23BF-3BDF-5CE4784103BB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {71E0C75D-FBE2-2EBA-22B9-088D464AF15B} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1871009B-371A-3CB8-0EF3-35E11BFEF223} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {00101245-A040-7B29-BFD4-0AB5207D1B38} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {51BEC7D8-97CC-2235-BBFB-05E217AEC5F8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {23C46787-9602-3ACA-7C45-53AC6E668968} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {0401889D-F3BE-2632-40B6-34E5380E89F3} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {3B3915A3-6CF6-0FBD-B863-1EAF268672B7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {16920C80-8487-7C02-C3B6-4D220D5C97A7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {00F97C19-2906-1305-136D-47595BCCED1D} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1A7E071D-9FD2-0997-75CD-3F5A6C1C0116} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {7BB3FA01-CEF5-19D4-73DD-01FF74B292F1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1EB2B621-D5E6-48D1-2C76-15027941ED57} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {69802AE9-AC77-7974-618A-7DDA48194635} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5D8273C4-24B9-75C1-A6D7-761627EC1ADB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {07608D75-E0FE-1E0B-F6D4-67047F060B00} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {628D3FDF-700E-0A0E-278F-688A3D1EAD40} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5899843E-AF97-7FB0-4CA1-259570CA5C4C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {39AD7B56-0790-7A43-A41E-1A097532D6E2} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {183E7F22-0CB0-2CAA-196E-2FFB64657B39} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {4CA9B6E7-05B6-47B4-3F49-228C1540241C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {52475F2A-6D58-7707-A243-44266BDCCCC2} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {52F6CA4F-9769-4B8D-1BF9-25AE30A8ADEE} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {53B893FA-EAC9-0D31-8788-22DF7966AFF4} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {78B68D5E-3617-2311-88CE-6EF77A06D16B} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {04EB4861-17EB-193D-7EF0-3F1B3444ABC7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2FE1491E-1022-53D9-E07E-6F0E7035C375} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {401B8DCA-6C87-45CA-5ED7-03FE1BFDDBFB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {283FA788-22D6-3105-74BA-093364D6844C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1878E20A-DBAA-043F-377A-537A03E3C7E5} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {51B8A553-CEE7-63F4-2D8B-1546029E8AD7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2D1A28F2-271F-5285-DFFD-48EB24CA797C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {73DF4879-57D6-7C42-3269-57FC066ACFDD} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1F71C336-973E-51E4-A88B-5EDF0658FD39} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {64D743E5-7F3C-1016-1DAA-2825764E494E} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {072FC338-07B6-527D-894E-33301AC82B27} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {0CC18F41-55FE-70A6-DAE8-5FD063A13FEB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {7461CAE8-C4D6-1675-6D99-3F4755B2451D} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {35801529-BC34-16C1-D787-1D776756D826} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=2bda0e8d0b400d047a0900ff439cca7d6a020d6cf16536241204cfe08c882945c1b639da0c5f43ea407ea4f14e5e21ea27e0f2a3e3466b79e53516041838f67673:9a90ad32a98a08d26e670f291c7a5c2c
O16 - DPF: {03D7FA87-0A04-121D-AFC0-4233593DB574} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1A00F70D-A185-4FAF-B199-66FA26B933A1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {6A63BEBA-C549-2319-BED7-72985141F8D8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {60B5E9EB-9C5A-4C02-7A37-0B941541AEFC} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {54D2782F-E46A-6E3D-E87B-092F44B59073} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {6175CA73-721D-6BCE-144B-57B7543B94D1} - http://213.159.117.150/1/rdgCA10.exe
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRAM FILES\COMMON FILES\REPRO DESK\PMPROTOCOL.DLL
O18 - Filter: text/html - {0AEFFBC0-0271-11D9-9747-00C0B2DB7FEE} - C:\WINDOWS\SYSTEM\DNOFKL.DLL
O18 - Filter: text/plain - {0AEFFBC0-0271-11D9-9747-00C0B2DB7FEE} - C:\WINDOWS\SYSTEM\DNOFKL.DLL

Thanks again for all your help.
Haxaw.
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #3 on: November 04, 2004, 04:06:35 PM »

Run hijack this and place a check beside the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {0AEFFBC1-0271-11D9-9747-00C0DD97DA75} - C:\WINDOWS\SYSTEM\DNOFKL.DLL
O2 - BHO: (no name) - {81F07598-5979-7468-634B-57A677138290} - (no file)
O2 - BHO: (no name) - {988013BE-7AB7-48f4-992E-44C309D65A48} - C:\WINDOWS\SYSTEM\nlsman.dll
O2 - BHO: (no name) - {48AC355A-E318-7BC3-8753-60550DF27F45} - C:\WINDOWS\SYSTEM\EEOSS.DLL
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKLM\..\Run: [Windows AdTools] C:\PROGRAM FILES\WINDOWS ADTOOLS\WINADTOOLS.EXE
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - HKCU\..\Run: [Nrae] C:\WINDOWS\Application Data\aatt.exe
O4 - HKCU\..\Run: [Fxn] C:\WINDOWS\SYSTEM\ancpanh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {770C0A54-BEAF-05F6-1701-7C0E1A129FF5} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {4B41E78B-9FF8-5C39-D22A-6A1356713E9C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {3B18FAFE-6703-4F8E-B22E-07CD252C3EFD} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {41028D84-3BC0-7B52-93F0-65F711F75E6A} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {792B76FB-4146-0B2A-F689-695A4883147A} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {31C5C08F-0189-436C-DAAE-3038091399E7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {20747446-BAF0-7BBC-DD46-03C30EFAA36C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {25F7D2F9-5248-4AF0-6062-715B545BA5D3} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2259DD23-DA7E-2B3C-246D-0C247D36710F} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {751B14DF-D8AB-5965-4C8B-02DD42E0B019} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2B0E3AAD-76DC-5294-C644-51001260E53C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {581BA1D0-8ADB-188A-4EA9-26484E093EA6} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5FA077E2-D50F-4E15-3E02-46363D0B97F4} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {22FA2172-18D7-6AF6-83CF-38E60E870C77} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {736BFA08-F848-541B-4E34-613B5E8A8EB1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {014B11DD-7F7C-3EF7-A4A0-4FA05237A770} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {57FE54A9-6604-3B29-4516-26E82F2236EB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {57A57B1D-208E-6FA5-DE3F-10B1211494C8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {6A416375-C22E-23BF-3BDF-5CE4784103BB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {71E0C75D-FBE2-2EBA-22B9-088D464AF15B} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1871009B-371A-3CB8-0EF3-35E11BFEF223} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {00101245-A040-7B29-BFD4-0AB5207D1B38} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {51BEC7D8-97CC-2235-BBFB-05E217AEC5F8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {23C46787-9602-3ACA-7C45-53AC6E668968} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {0401889D-F3BE-2632-40B6-34E5380E89F3} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {3B3915A3-6CF6-0FBD-B863-1EAF268672B7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {16920C80-8487-7C02-C3B6-4D220D5C97A7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {00F97C19-2906-1305-136D-47595BCCED1D} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1A7E071D-9FD2-0997-75CD-3F5A6C1C0116} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {7BB3FA01-CEF5-19D4-73DD-01FF74B292F1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1EB2B621-D5E6-48D1-2C76-15027941ED57} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {69802AE9-AC77-7974-618A-7DDA48194635} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5D8273C4-24B9-75C1-A6D7-761627EC1ADB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {07608D75-E0FE-1E0B-F6D4-67047F060B00} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {628D3FDF-700E-0A0E-278F-688A3D1EAD40} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {5899843E-AF97-7FB0-4CA1-259570CA5C4C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {39AD7B56-0790-7A43-A41E-1A097532D6E2} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {183E7F22-0CB0-2CAA-196E-2FFB64657B39} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {4CA9B6E7-05B6-47B4-3F49-228C1540241C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {52475F2A-6D58-7707-A243-44266BDCCCC2} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {52F6CA4F-9769-4B8D-1BF9-25AE30A8ADEE} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {53B893FA-EAC9-0D31-8788-22DF7966AFF4} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {78B68D5E-3617-2311-88CE-6EF77A06D16B} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {04EB4861-17EB-193D-7EF0-3F1B3444ABC7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2FE1491E-1022-53D9-E07E-6F0E7035C375} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {401B8DCA-6C87-45CA-5ED7-03FE1BFDDBFB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {283FA788-22D6-3105-74BA-093364D6844C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1878E20A-DBAA-043F-377A-537A03E3C7E5} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {51B8A553-CEE7-63F4-2D8B-1546029E8AD7} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {2D1A28F2-271F-5285-DFFD-48EB24CA797C} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {73DF4879-57D6-7C42-3269-57FC066ACFDD} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1F71C336-973E-51E4-A88B-5EDF0658FD39} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {64D743E5-7F3C-1016-1DAA-2825764E494E} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {072FC338-07B6-527D-894E-33301AC82B27} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {0CC18F41-55FE-70A6-DAE8-5FD063A13FEB} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {7461CAE8-C4D6-1675-6D99-3F4755B2451D} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {35801529-BC34-16C1-D787-1D776756D826} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=2bda0e8d0b400d047a0900ff439cca7d6a020d6cf16536241204cfe08c882945c1b639da0c5f43ea407ea4f14e5e21ea27e0f2a3e3466b79e53516041838f67673:9a90ad32a98a08d26e670f291c7a5c2c
O16 - DPF: {03D7FA87-0A04-121D-AFC0-4233593DB574} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {1A00F70D-A185-4FAF-B199-66FA26B933A1} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {6A63BEBA-C549-2319-BED7-72985141F8D8} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {60B5E9EB-9C5A-4C02-7A37-0B941541AEFC} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {54D2782F-E46A-6E3D-E87B-092F44B59073} - http://213.159.117.150/1/rdgCA10.exe
O16 - DPF: {6175CA73-721D-6BCE-144B-57B7543B94D1} - http://213.159.117.150/1/rdgCA10.exe
O18 - Filter: text/html - {0AEFFBC0-0271-11D9-9747-00C0B2DB7FEE} - C:\WINDOWS\SYSTEM\DNOFKL.DLL
O18 - Filter: text/plain - {0AEFFBC0-0271-11D9-9747-00C0B2DB7FEE} - C:\WINDOWS\SYSTEM\DNOFKL.DLL

Close all windows except hijack this and click fix

Boot into safe mode making sure you can see hidden files and folders


How To Boot Into SafeMode

How To Show Hidden Files And Folders

Delete the following:

C:\WINDOWS\SYSTEM\DNOFKL.DLL<file
C:\WINDOWS\SYSTEM\nlsman.dll<file
C:\WINDOWS\SYSTEM\EEOSS.DLL<file
C:\WINDOWS\SYSTEM\MSBE.DLL<file
C:\PROGRAM FILES\WINDOWS ADTOOLS<folder
C:\WINDOWS\SYSTEM\systime.exe<file
C:\WINDOWS\Application Data\aatt.exe<file
C:\WINDOWS\SYSTEM\ancpanh.exe<file
C:\PROGRAM FILES\WINDOWS ADTOOLS<folder

Reboot and post a new hijack this log

« Last Edit: November 04, 2004, 04:08:20 PM by jvic » Logged

John Vickers
Haxaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 19


Bookmark and Share

View Profile
« Reply #4 on: November 05, 2004, 04:19:26 PM »

Ok, I followed your instructions to the letter with the exception of:
1. When I rebooted into safe mode, DNOFKL.DLL, EEOSS.DLL and Windows Adtools folder could not be found (in the locations indicated or via searching the drive) so I was unable to delete them.
2. I've noticed that "O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe" has reappeared in the new log, does this mean I missed it?  I did check it for HJT to fix it and I did delete the exe while in safe mode...

Here is the new HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 11:13:08 AM, on 05/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.182:6588
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\CFGWIZ.EXE /R
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O18 - Protocol: pm - {A479F961-CC9E-11D0-A220-000000000000} - C:\PROGRAM FILES\COMMON FILES\REPRO DESK\PMPROTOCOL.DLL
« Last Edit: November 05, 2004, 04:23:50 PM by Haxaw » Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #5 on: November 05, 2004, 04:38:32 PM »

OK, Click CTRL+ALT+DEL and bring up your Task Manager. End
the following process:

systime.exe (there may be more than one)

Then make sure you can see all hidden files and folders. Delete
the following file:

C:\WINDOWS\system32\ systime.exe

Then run hijack this and fix:

O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe

Other than that your log is good
Logged

John Vickers
Haxaw
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 19


Bookmark and Share

View Profile
« Reply #6 on: November 08, 2004, 02:17:11 PM »

I didn't delete the exe because it wasn't there (obviously I had successfully deleted it) and fixed the registry with HJT.

So far everything is good!

Thank you so much!!

Haxaw.
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page April 02, 2017, 03:08:52 AM