Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help fixing net problem


  • Please log in to reply
6 replies to this topic

#1 pleasehelp

pleasehelp

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 14 February 2005 - 09:32 PM

LAPTOP

Microsoft Windows XP [Version 5.1.2600]
Copyright 1985-2001 Microsoft Corp.

C:\>ipconfig -all

Windows IP Configuration

Host Name . . . . . . . . . . . . : SHARI
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : Yes

PPP adapter sym:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 65.95.78.149
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 206.47.244.60
206.47.244.12
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\>

ok so thats what im supposed to post

Edited by phawgg, 15 February 2005 - 03:43 PM.


BC AdBot (Login to Remove)

 


#2 pleasehelp

pleasehelp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 14 February 2005 - 09:50 PM

LAPTOP

Logfile of HijackThis v1.99.0
Scan saved at 9:46:28 PM, on 2/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\documents and settings\owner\local settings\temp\8E4.exe
C:\documents and settings\owner\local settings\temp\jyP2.exe
C:\WINDOWS\mfcnk32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\iegv32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sympatico.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {64A70346-6FA4-EA8B-7DD1-5A4B17FBDA8B} - C:\WINDOWS\ipvi32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\sharilynn\Local Settings\Temp\tBgf.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_0_2_6.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [8E4] C:\documents and settings\owner\local settings\temp\8E4.exe
O4 - HKLM\..\Run: [jyP2] C:\documents and settings\owner\local settings\temp\jyP2.exe
O4 - HKLM\..\Run: [d3jl.exe] C:\WINDOWS\system32\d3jl.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [ipsg.exe] C:\WINDOWS\system32\ipsg.exe
O4 - HKLM\..\Run: [apijn32.exe] C:\WINDOWS\system32\apijn32.exe
O4 - HKLM\..\Run: [mfcnk32.exe] C:\WINDOWS\mfcnk32.exe
O4 - HKLM\..\RunOnce: [iegv32.exe] C:\WINDOWS\system32\iegv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c7.cab
O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/software...2_1/install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{567A0B44-21ED-4E37-9E66-3989D44345A3}: NameServer = 206.47.244.60 206.47.244.12
O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: HP Configuration Service - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\mslv.exe (file missing)

Edited by phawgg, 15 February 2005 - 03:44 PM.


#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:25 AM

Posted 14 February 2005 - 10:06 PM

I'll check your log (and have some info from chat)
Post anything else that relates,
and please label the different PC's if two are involved.
patiently patrolling, plenty of persisant pests n' problems ...

#4 pleasehelp

pleasehelp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 15 February 2005 - 10:02 AM

DESKTOP

ok so heres the ipconfig from my desktop computer, the one that wasnt working but oddly is today?! i thought i should still post this in case it happens to me again.

Microsoft Windows XP [Version 5.1.2600]
Copyright 1985-2001 Microsoft Corp.

C:\>ipconfig -all

Windows IP Configuration

Host Name . . . . . . . . . . . . : compaq
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : no-domain-set.bellcanada
Description . . . . . . . . . . . : SMC EZ Card 10/100 PCI (SMC1211TX)
Physical Address. . . . . . . . . : 00-10-B5-E2-FA-AD
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : Monday, February 14, 2005 8:35:10 PM

Lease Expires . . . . . . . . . . : Thursday, February 17, 2005 8:35:10
PM

PPP adapter Broadband Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 70.48.104.63
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 70.48.104.63
DNS Servers . . . . . . . . . . . : 206.47.244.60
206.47.244.12
NetBIOS over Tcpip. . . . . . . . : Disabled

C:\>

Edited by phawgg, 15 February 2005 - 03:46 PM.


#5 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:25 AM

Posted 16 February 2005 - 02:45 PM

Hi, pleasehelp

We talked in chat, and you had (have) some problems.
You couldn't connect to your web browser on your other computer,
you could connect to the internet but not go on any sites.
You tried system restore but no luck.

This log is from your (Mom's) laptop.

It has several infections.

We need to eliminate the malware from it first.
Then from your desktop, as it probably also has similar problems.

This infection can be very difficult to remove as the various programs used by this
infection monitor each other and attempt to detect when someone is trying to delete them.

STEP ONE. PREPARE TO get rid of your problems.

Please perform the steps in exact order for best results and read through them first.
You may choose to:
Print out, Copy/paste these instructions to a notepad/wordpad
or choose file-->save page as: HJT instructions.
You will need tools on your desktop. Please click these download links: Extract AboutBuster to your desktop.
In Extraction Wizard choose "next"-->"next"--> "Finish".
Open the folder and click on the application file to begin. "OK".
Choose to update.

Note: If AboutBuster didn't work:
Click on the missingfiles setup.exe and continue
through the "wizard" to install missing files needed in to run AboutBuster.
Once that has been completed, rerun AboutBuster to confirm that it does work.
As long as the program loads, we are in good shape. Exit, we'll run it later.

You also need to install programs.
  • Ad-Aware SE Personal 1.05,
    unless you already have this version.
    You should uninstall any older version before installing this.
    Run Ad-Aware and immediately check for updates.
    Exit after updating. We will scan/clean later.

    See the next post for detailed instructions using Lavasoft
  • System Security Suite,

    used to quickly clean out unnecessary files & your recycle bin.
    Save to disk, and then install it. Run later, also.
STEP TWO. preparation done. please continue with the following steps

Click Start-->Add or Remove Programs-->Uninstall (if found), any instances of
ISTsvc
Visual Networks
Set your PC to: Show Hidden Files. (click tutorial for instructions)

Reboot your computer into Safe Mode. (click tutorial for instructions)

Click Start-->control panel-->administrative programs-->services.
Look for a service called Network Security Service .
Double click on the that service and click stop and then set the startup to disabled.

Press control-alt-delete to get into the task manager, or rightclick in the taskbar-->choose task manager
and end the follow processes (if they are running):

iegv32.exe
mfcnk32.exe
S3tray2.exe
8E4.exe
jyP2.exe
sais.exe
d3jl.exe
tibs3.exe
ipsg.exe
apijn32.exe
mslv.exe
IPClient.exe
IPMon32.exe


Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\brbtf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {64A70346-6FA4-EA8B-7DD1-5A4B17FBDA8B} - C:\WINDOWS\ipvi32.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\sharilynn\Local Settings\Temp\tBgf.dll
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [8E4] C:\documents and settings\owner\local settings\temp\8E4.exe
O4 - HKLM\..\Run: [jyP2] C:\documents and settings\owner\local settings\temp\jyP2.exe
O4 - HKLM\..\Run: [d3jl.exe] C:\WINDOWS\system32\d3jl.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [ipsg.exe] C:\WINDOWS\system32\ipsg.exe
O4 - HKLM\..\Run: [apijn32.exe] C:\WINDOWS\system32\apijn32.exe
O4 - HKLM\..\Run: [mfcnk32.exe] C:\WINDOWS\mfcnk32.exe
O4 - HKLM\..\RunOnce: [iegv32.exe] C:\WINDOWS\system32\iegv32.exe
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c7.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
note: unless you specifically added this to your "trusted zone"
it is probably malware related and deletion is best to restore defaults.

O15 - Trusted IP range: 206.161.125.149 (HKLM)

Click the Fix button, when you're sure that files marked for deletion are correct.

Search for, locate and delete files or folders ---
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder, right-click-->delete individual files.
(Don't be concerned if they don't exist, the previous steps may have eliminated them.)
Do not delete any main folders like
C:\WINDOWS or C:\Program Files.
Delete manually:

C:\WINDOWS\brbtf.dll
C:\WINDOWS\ipvi32.dll
C:\WINDOWS\mfcnk32.exe
C:\WINDOWS\system32\iegv32.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\d3jl.exe
C:\WINDOWS\System32\tibs3.exe
C:\WINDOWS\system32\ipsg.exe
C:\WINDOWS\system32\apijn32.exe

note: search for the .exe's and when found, delete the folder too.
C:\Program Files\ISTsvc\istsvc.exe
c:\program files\180solutions\sais.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe

note: the next three will be deleted when you clean temporary files.
C:\documents and settings\owner\local settings\temp\8E4.exe
C:\documents and settings\owner\local settings\temp\jyP2.exe
C:\Documents and Settings\sharilynn\Local Settings\Temp\tBgf.dll

If you get an error when deleting a file.
Right click on the file and check to see if the read only attribute is checked.
if it is, uncheck it and try again.


Run AboutBuster 4.0.
Open the folder, click the application file.
Start.
OK to scan.
Scan once,
Scan twice.
Save log & Exit.

Run Ad-Aware
(Read the next post for additional details)
prepare for system scan
using "full scan" and not including the "negligible risk items".
Run the scan to completion.
The "Finish" button will change screen to "scanning results".
The scan summary tab
is where to tick the boxes to delete what was found.


Run System Security Suite.
(All windows and browsers closed)
To clean out Temp and Temporary Internet Files.

In the "Items to Clear" tab click:
1. Internet Explorer (left pane): Cookies & Temporary files
2. My Computer (right pane): Temporary files & Recycle Bin
Click the "Clear Selected Items" button. Close.

Open Internet Explorer,
click on the Tools menu and then Internet Options.
At the General tab, which should be the default first tab,
click on the Delete Files button
and put a checkmark in Delete offline content.
Then press the OK button.

Extract HostFix.
Rightclick the zipped folder-->choose "extract all"
In Extraction Wizard choose "next"-->"next"--> "Finish".
Open the folder and click on the application file to begin.
With the program open,
click "YES".
This will restore the Hosts file.

Reboot your computer to go back to normal mode.

Download shell.dll from here: shell-dll98.zip.
From the desktop:
rightclick & choose "Open With"-->"compressed (zipped) folders" and
copy shell.dll -- paste it to the following locations:

1. C:\WINDOWS\system<--into this folder and
2. C:\WINDOWS\system32 <-- into this folder

If you have Spybot S&D installed on your computer
we advise that you uninstall it and then download and install the latest version.
This will make sure you have all the latest files that are necessary for it to run correctly.

Scan online for viruses at TrendMicro's Housecall.
Scan online for viruses at Bitdefender

Run HijackThis again and post the new log as a reply to this post.

It looks harder than it is, but if you don't understand any step or
have difficulties downloading applications/programs, just post comments
and I will clarify or help additionally if necessary.
Thanks.

Edited by phawgg, 16 February 2005 - 02:46 PM.

patiently patrolling, plenty of persisant pests n' problems ...

#6 pleasehelp

pleasehelp
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:25 AM

Posted 25 February 2005 - 02:11 PM

here is the latest log of the laptop
i did everything u said


Logfile of HijackThis v1.99.0
Scan saved at 2:09:55 PM, on 2/25/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\HPConfig.exe
C:\WINDOWS\system32\RadioSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\Ihoxom.exe
C:\Program Files\Preview AdService\PrevAdServ.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Program Files\Preview AdService\PrevAdKeep.exe
C:\WINDOWS\System32\MDNS.exe
C:\Program Files\AdTools Service\AdToolsKeep.exe
C:\WINDOWS\ipmt.exe
C:\WINDOWS\system32\netwx32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\junfz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\junfz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\junfz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\junfz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\junfz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\junfz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\junfz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {EF497844-7B90-4822-A898-12306EB83DD2} - C:\WINDOWS\winng32.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [MDN] MDNS.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Xtplyv.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Ihoxom.exe
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [ipmt.exe] C:\WINDOWS\ipmt.exe
O4 - HKLM\..\RunServices: [MDN] MDNS.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MDN] MDNS.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: (HKLM)
O16 - DPF: {26AFD6EF-C017-4063-B2B1-E515DE98A1B7} - http://download.kodak.com/digital/software...2_1/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200211...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9AE283A5-DF43-4C83-B6AA-7EBDBDB0204A} (VacPro.canada_ver10) - http://advnt01.com/dialer/canada_ver10.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowerscan.com/pcpowerscan.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.photolab.ca/activex/PCAXSetup.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{567A0B44-21ED-4E37-9E66-3989D44345A3}: NameServer = 206.47.244.60 206.47.244.12
O23 - Service: DvpApi - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: HP Configuration Service - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: HP RF Device Service - Hewlett-Packard - C:\WINDOWS\system32\HpRfDev.exe
O23 - Service: Virtual NIC Service - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: RadioSvr - Hewlett-Packard - C:\WINDOWS\system32\RadioSvr.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\netwx32.exe

#7 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:07:25 AM

Posted 25 February 2005 - 03:41 PM

I'm glad you posted back, pleasehelp
Let's try this:

Download CWShredder 2.13.

Close your browser(s) and all other windows.
Open CWShredder. Check for updates. Click Scan. Click Fix.
Reboot and continue:

Open your C:\HJT folder and double-click the icon.
Close everything except HijackThis, nothing else on your desktop.
Scan and Save log only.

Post the new log here.

It will be best to leave the laptop running.
Each time you reboot with this combination of
bad files, they change their name(s) and make it
a lot harder to instruct you about exactly which to delete.

The laptop will ok running, simply provide for good airflow.
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users