MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: please help...
June 03, 2020, 09:59:57 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 03, 2020, 09:59:57 AM

Login with username, password and session length
 Featured Sites:
News
New  New Poll on our main page!
"My experience with Vista..."
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: please help...  (Read 1941 times)
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« on: December 17, 2004, 06:56:15 PM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:windows xp
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:rundl.exe has closed



Logfile of HijackThis v1.98.2
Scan saved at 18:56:54, on 17/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run:
  • C:\documents and settings\jasel.kapu\local settings\temp\0.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095090854783
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34



windows is often restarting by itself without any warning.... a while before a message appears incolving rundl.exe
please help me
thank you
Logged

 
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #1 on: December 17, 2004, 06:59:36 PM »

this is the logfile with new hijack this version...

Logfile of HijackThis v1.99.0
Scan saved at 18:59:45, on 17/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\JASEL~1.KAP\LOCALS~1\Temp\Rar$EX00.410\HijackThis199[www.click-now.net].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run:
  • C:\documents and settings\jasel.kapu\local settings\temp\0.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095090854783
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)



i am also gettin alot of pop ups involvin smiley central and others.

thank you
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #2 on: December 17, 2004, 07:07:26 PM »

Hi Jasel14
      you have the new host infection which is going to take a bit of work to get rid of.First thing Please download LSP Fix

Then use these instructions to remove the bad DLL:

1. Run LSPFix.
2. Check 'I know what I'm doing'.
3. Select aklsp.dll'.
4. Click the right-pointing arrow (moves it to the "remove" page).
5. Click 'Finished'.
6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
7. Delete the following file: c:\windows\system\aklsp.dll
8. Restart your computer and bring it up in normal mode.

Next

Please download
Dll compare

Start the Program and click the Run Locate.com
Default settings should work---C:\Windows\System32 directory
Let it complete the SCAN, which won't take long


Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button  and post your DLL Compare log here

IMPORTANT

Do not restart your computer until I let you know it is okay otherwise the file names will change and we will have to start all over again.

Please download Killbox

We will need this program later
« Last Edit: December 17, 2004, 07:09:54 PM by jvic » Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #3 on: December 18, 2004, 02:19:40 PM »

hi
thank u for your help...
but when i run dllcompare and click run locate.com with C:\WINDOWS\System32 in the box an error message comes up...
'C:\DOCUME....\locate.com
C:\windows\system32\autoexec.nt. The system file is not suitable for running MS-DOS and microsoft windows applications. Choose close to terminate the program.' This is followed by 2 options... close and ignore.
if i press ignore and the press compare nothing happens.

thank you
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #4 on: December 19, 2004, 02:00:44 AM »

This is a tricky one to fix....so

Download these 2 utilities http://www.downloads.subratam.org/DllCompare.exe Dllcompare (version(1.0.0.127) and Killbox (version 2.0.0.76) http://www.downloads.subratam.org/KillBox.exe

Copy the dllcompare.exe to your desktop, please don't  run it from the download site as it is preset to scan the System32 directory, so nothing other than you clicking the [Run locate.com] button is required.
When the scan is complete, you will see in blue "Completed the scan"  Click "Compare to Continue" then click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will display in blue 'Completed'
Click the button [Make a Log of what was Found] and post the results here. Once this log is sent  YOU MUST NOT REBOOT if you can help it or all the files will change and we wil have to start the process over again..
Logged

An Australian Member of

EDDY
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #5 on: December 20, 2004, 11:40:50 AM »

heres the log...

*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\dgvxd32.dll    Mon 13 Dec 2004  23:27:32   ..S.R        224,966   219.69 K
C:\WINDOWS\SYSTEM32\dn4001~1.dll   Sat 11 Dec 2004  15:12:28   ..S.R        223,273   218.04 K
C:\WINDOWS\SYSTEM32\fpr803~1.dll   Sat 11 Dec 2004  11:03:24   ..S.R        224,125   218.87 K
C:\WINDOWS\SYSTEM32\irlsl5~1.dll   Sun 19 Dec 2004  12:37:38   ..S.R        222,825   217.60 K
C:\WINDOWS\SYSTEM32\jt8m07~1.dll   Tue 14 Dec 2004  19:26:42   ..S.R        224,966   219.69 K
C:\WINDOWS\SYSTEM32\lv2409~1.dll   Sun 19 Dec 2004  12:34:38   ..S.R        223,254   218.02 K
C:\WINDOWS\SYSTEM32\mv82l9~1.dll   Sat 18 Dec 2004  12:09:32   ..S.R        225,889   220.59 K
C:\WINDOWS\SYSTEM32\n4l80e~1.dll   Thu 16 Dec 2004  22:58:04   ..S.R        223,119   217.89 K
C:\WINDOWS\SYSTEM32\nhwrses.dll    Sat 18 Dec 2004  13:11:06   ..S.R        225,889   220.59 K
C:\WINDOWS\SYSTEM32\q486le~1.dll   Fri 17 Dec 2004  18:54:20   ..S.R        225,889   220.59 K
C:\WINDOWS\SYSTEM32\r8p80i~1.dll   Sat 11 Dec 2004  11:51:06   ..S.R        224,110   218.86 K
C:\WINDOWS\SYSTEM32\ravpsp.dll     Fri 10 Dec 2004  17:42:46   ..S.R        223,232   218.00 K
C:\WINDOWS\SYSTEM32\sylogcfg.dll   Mon 20 Dec 2004  11:16:10   ..S.R        223,254   218.02 K
C:\WINDOWS\SYSTEM32\ugnphost.dll   Sat 18 Dec 2004  12:58:12   ..S.R        225,889   220.59 K
________________________________________________

1,414 items found:  1,414 files (14 H/S), 0 directories.
Total of file sizes:  298,447,222 bytes    284.62 M

Administrator Account =  True

--------------------End log---------------------


thanks
Logged

 
jvic
Visiting Administrator
Hero Member
*****

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 1238


Bookmark and Share

View Profile
« Reply #6 on: December 20, 2004, 12:19:02 PM »

Please download Killbox

Using Killbox

Copy Killbox to your Desktop (Do not run from the download site)

Settings for Killbox
From the menu bar click the "About" and ensure you have version
2.0.0.76 or better.
Select Option Replace on Reboot


With the full path to the file name in the topmost textbox,
click the option Use Dummy which will create a numbered dummy file
instantly for you.

Click the Red X ...and for the confirmation message that will appear,
you will need to click Yes
A second message will ask to Reboot now? you will need to click
No (since you are not finished adding all related files in yet)
Do this same step for every file in the dllcompare log, (Or each
file one of the forum experts/helpers etc. tell you to)



Here Are The Files

C:\WINDOWS\SYSTEM32\dgvxd32.dll

C:\WINDOWS\SYSTEM32\dn4001~1.dll

C:\WINDOWS\SYSTEM32\fpr803~1.dll

C:\WINDOWS\SYSTEM32\irlsl5~1.dll

C:\WINDOWS\SYSTEM32\jt8m07~1.dll

C:\WINDOWS\SYSTEM32\lv2409~1.dll

C:\WINDOWS\SYSTEM32\mv82l9~1.dll

C:\WINDOWS\SYSTEM32\n4l80e~1.dll

C:\WINDOWS\SYSTEM32\nhwrses.dll

C:\WINDOWS\SYSTEM32\q486le~1.dll

C:\WINDOWS\SYSTEM32\r8p80i~1.dll

C:\WINDOWS\SYSTEM32\ravpsp.dll

C:\WINDOWS\SYSTEM32\sylogcfg.dll

C:\WINDOWS\SYSTEM32\ugnphost.dll

When you get to the last file in the Dllcompare log, also add
in one additional file

C:\Windows\System32\Guard.tmp

*Be careful to include the correct path to the system32 folder,
as drive letters & windows folder names change slightly from system
to system
If this is an issue, click the [Browse] button in Killbox and
navigate to the guard.tmp manually. (it will always be in the System32
directory, and may need to have File & Folder options to "unhide system files" enabled)


On that last file, close all programs and Reboot your computer.
Step 3

After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty.
At worst, it will show many less files, and you may have to repeat
the step 2 again one more time.

Guard.tmp, may still exist as it creates on Shutdown, but is
unprotected at this point.
Open Killbox again, paste the path to guard.tmp into the first box.

C:\WINDOWS\SYSTEM32\guard.tmp

This will only require a "Standard File Kill" default setting of
Killbox.
If the file does exist, you will see the name guard.tmp in Blue
appear. Click the Red X to delete it.

Run hijack this and post a new log



« Last Edit: December 20, 2004, 12:24:24 PM by jvic » Logged

John Vickers
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #7 on: December 20, 2004, 02:22:32 PM »

this is the dllcompare log file which went successfully:
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found Smiley"
________________________________________________

1,414 items found:  1,414 files, 0 directories.
Total of file sizes:  295,307,326 bytes    281.63 M

Administrator Account =  True

--------------------End log---------------------



this is a new hijack this log:

Logfile of HijackThis v1.99.0
Scan saved at 14:24:41, on 20/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JASEL~1.KAP\LOCALS~1\Temp\Rar$EX00.740\HijackThis199[www.click-now.net].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run:
  • C:\documents and settings\jasel.kapu\local settings\temp\0.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095090854783
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)


Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #8 on: December 20, 2004, 11:55:34 PM »

Have "Hijack This" fix the following by placing a check in the appropriate boxes and selecting "fix checked".
Folders that have been  highlighted in RED will need to be uninstalled. . Files highlighted in BLACK will need to be removed from your hard drive. Make sure to have your system set to show hidden files and folders..www.xtra.co.nz/help/0,,4155-1916458,00.html] How To Show Files .Please post a new log when finished...

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run:
  • C:\documents and settings\jasel.kapu\local settings\temp\0.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\win32.exe
O15 - Trusted Zone: *.windupdates.com
O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
Logged

An Australian Member of

EDDY
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #9 on: December 21, 2004, 06:41:05 PM »

how do i remove
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
from my hard drive.
i could not find the win32 in windows folder


this is my hijack log...

Logfile of HijackThis v1.99.0
Scan saved at 18:39:02, on 21/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\MultiPASS\mpservic.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\MultiPASS\monitr32.exe
C:\Program Files\Canon\MultiPASS\MPTBox.exe
C:\WINDOWS\System32\gsicon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\FxRedir.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\JASEL~1.KAP\LOCALS~1\Temp\Rar$EX00.646\HijackThis199[www.click-now.net].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MP_STATUS_MONITOR] "C:\Program Files\Canon\MultiPASS\monitr32.exe" I
O4 - HKLM\..\Run: [MPTBox] "C:\Program Files\Canon\MultiPASS\MPTBox.exe"
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.indiapress.org/pfr/tdserver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095090854783
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8797DB3E-1185-44C4-B4A6-ABBB7192E652}: NameServer = 194.74.65.68 194.72.9.34
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: MPService - Canon Information Systems, Inc. - C:\Program Files\Canon\MultiPASS\mpservic.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


thank you
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #10 on: December 22, 2004, 12:11:56 AM »

Your log is clean.The 01 Host only have to be removed from the log,not your drive.The Win32 would have gone with the cleanup.
Logged

An Australian Member of

EDDY
jasel14
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 20


Bookmark and Share

View Profile
« Reply #11 on: December 22, 2004, 06:14:08 PM »

thanks you very much for your help... i really appreciate it... u guys doin a good thing
cheers
Logged

 
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #12 on: December 23, 2004, 12:32:27 AM »

Glad we could help.
Logged

An Australian Member of

EDDY
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page September 06, 2019, 02:17:48 AM