MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Friend has a problem with his computer. Need help
November 12, 2019, 04:01:25 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 12, 2019, 04:01:25 AM

Login with username, password and session length
 Featured Sites:
News
New  Got pics of your modded PC or want to show off your cool desktop, visit our new Show & Tell forum!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] Go Down Print
Author Topic: Friend has a problem with his computer. Need help  (Read 1512 times)
Kimosabe
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« on: March 04, 2005, 02:48:09 PM »

My friend has a problem with his computer. He can't use Explorer at all and cannot change the homepage. Help is very much appreciated. His log file is below.

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version: Windows XP
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:



Logfile of HijackThis v1.99.1
Scan saved at 16:21:36, on 4.3.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe
C:\temp\salm.exe
C:\WINDOWS\System32\gah95on6.exe
C:\Program Files\Windows FormatAd\WinForm.exe
C:\Program Files\Pmzqaq\Itju.exe
C:\WINDOWS\vahcfoh.exe
C:\Program Files\Windows FormatAd\WinFormKeep.exe
C:\Documents and Settings\Tumppi\Application Data\dboo.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sunlogix.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fi/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll
O2 - BHO: (no name) - {D1613083-DB60-A7B0-41A5-F33A944A169C} - C:\WINDOWS\System32\gmrjo.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Seticon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe"  -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [Windows FormatAd] C:\Program Files\Windows FormatAd\WinForm.exe
O4 - HKLM\..\Run: [Yzbkkzvj] C:\Program Files\Pmzqaq\Itju.exe
O4 - HKLM\..\Run: [bE4d] C:\WINDOWS\vahcfoh.exe
O4 - HKLM\..\Run: [ifex] C:\WINDOWS\ifex.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SVCHOST] C:\WINDOWS\System32\clickpps.exe
O4 - HKCU\..\Run: [Prea] C:\Documents and Settings\Tumppi\Application Data\dboo.exe
O4 - HKCU\..\Run: [Vruwov] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - WWW Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Home Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Mosaic Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.sunlogix.fi/
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.qck.cc
O15 - Trusted Zone: *.sidefind.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.thawte.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.verisign.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O21 - SSODL: eplrr - {223A590F-3BE6-49DF-93E9-ADB5157C8701} - C:\WINDOWS\System32\eplrr3.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #1 on: March 04, 2005, 04:38:51 PM »

Hey Kimosabe .. Smiley .. let's start with this...

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

msnappau.exe
salm.exe
gah95on6.exe
WinForm.exe
Itju.exe
vahcfoh.exe
ifex.exe
istsvc.exe
clickpps.exe
dboo.exe
n?tdde.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
R3 - Default URLSearchHook is missing
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\System32\spm1316.dll
O2 - BHO: (no name) - {D1613083-DB60-A7B0-41A5-F33A944A169C} - C:\WINDOWS\System32\gmrjo.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll

O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [Windows FormatAd] C:\Program Files\Windows FormatAd\WinForm.exe
O4 - HKLM\..\Run: [Yzbkkzvj] C:\Program Files\Pmzqaq\Itju.exe
O4 - HKLM\..\Run: [bE4d] C:\WINDOWS\vahcfoh.exe
O4 - HKLM\..\Run: [ifex] C:\WINDOWS\ifex.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SVCHOST] C:\WINDOWS\System32\clickpps.exe
O4 - HKCU\..\Run: [Prea] C:\Documents and Settings\Tumppi\Application Data\dboo.exe
O4 - HKCU\..\Run: [Vruwov] C:\WINDOWS\System32\n?tdde.exe

O13 - DefaultPrefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - WWW Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Home Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Mosaic Prefix: http://www.nowfind.net/umax3/gallery.php?url=

O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.qck.cc
O15 - Trusted Zone: *.sidefind.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.thawte.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.verisign.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDT/ie/bridge-c18.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab

O21 - SSODL: eplrr - {223A590F-3BE6-49DF-93E9-ADB5157C8701} - C:\WINDOWS\System32\eplrr3.dll


Go to Control Panel / Add/Remove Programs and remove the
 following if they are there:


nowfind
IST Service
Windows FormatAd

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "Safe Mode" in order to delete some Files/Folders)

C:\WINDOWS\cerbmod.dll
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll
C:\WINDOWS\System32\spm1316.dll
C:\WINDOWS\System32\gmrjo.dll
C:\WINDOWS\System32\eplrr3.dll
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\fi\msnappau.exe
c:\temp\salm.exe
C:\WINDOWS\System32\gah95on6.exe
C:\Program Files\Windows FormatAd\WinForm.exe
C:\Program Files\Pmzqaq\Itju.exe
C:\WINDOWS\vahcfoh.exe
C:\WINDOWS\ifex.exe
C:\Program Files\ISTsvc\istsvc.exe

C:\WINDOWS\System32\clickpps.exe
C:\Documents and Settings\Tumppi\Application Data\dboo.exe
C:\WINDOWS\System32\n?tdde.exe


Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.


In Xp, here are some locations of Temp files

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

Cactus  
Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Kimosabe
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #2 on: March 04, 2005, 09:45:02 PM »

Hey Cactus, thanks for helping out.
However these ones my friend couldn't find on his computer:

C:\WINDOWS\cerbmod.dll
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\fi\msntb.dll
C:\WINDOWS\System32\gmrjo.dll
C:\Program Files\Windows FormatAd\WinForm.exe  <--- Windows FormatAd folder wasn't there, he propably had deleted it before.

And the homepage couldn't be changed, when he tried it automatically changed back.

Now the log




Logfile of HijackThis v1.99.1
Scan saved at 23:34:12, on 4.3.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tumppi\Omat tiedostot\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sunlogix.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fi/
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Seticon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - WWW Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Home Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Mosaic Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.sunlogix.fi/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
« Last Edit: March 04, 2005, 09:45:59 PM by Kimosabe » Logged

 
Cactus
Security & Virus Specialist
Global Moderator
Hero Member
*****

Karma: +2/-0
Offline Offline

Gender: Male
Posts: 4327


Bookmark and Share

View Profile
« Reply #3 on: March 05, 2005, 01:58:24 AM »

Re-boot into SAFE MODE and have HJT fix these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php

O1 - Hosts: auto.search.msn.com 127.0.0.1

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

O13 - DefaultPrefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - WWW Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Home Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Mosaic Prefix: http://www.nowfind.net/umax3/gallery.php?url=


Empty your TEMP Folders and the Recycle Bin


Goto ADD REMOVE PROGRAMS AND REMOVE THIS IF PRESENT:

nowfind
umax3

Re-run HJT in Normal Mode and post back with a fresh logfile.

Cactus  
« Last Edit: March 05, 2005, 01:59:04 AM by Cactus » Logged

**PLEASE**.....do not post your hijack log in someone else's thread. Start a separate thread HERE! Thank you.

cactus@mytechsupport.ca

My System Specs

Avg Antivirus::Ad-Aware::Spybot::Windows Update::Recuva
Malwarebytes::SUPERAntiSpywareFREE
Kimosabe
Newbie
*

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 6


Bookmark and Share

View Profile
« Reply #4 on: March 05, 2005, 05:20:38 PM »

Here's the new log




Logfile of HijackThis v1.99.1
Scan saved at 19:16:13, on 5.3.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Icons\Seticon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tumppi\Omat tiedostot\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sunlogix.fi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nowfind.net/umax4/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nowfind.net/umax4/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nowfind.net/umax4/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fi/
O1 - Hosts: auto.search.msn.com 127.0.0.1
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Seticon] C:\Program Files\Icons\Seticon.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Vie Microsoft E&xceliin - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O13 - DefaultPrefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - WWW Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Home Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O13 - Mosaic Prefix: http://www.nowfind.net/umax3/gallery.php?url=
O14 - IERESET.INF: START_PAGE_URL=http://www.sunlogix.fi/
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Logged

 
Pages: [1] Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 10, 2018, 03:28:46 AM