Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log (for friend)


  • Please log in to reply
5 replies to this topic

#1 biffta

biffta

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 08 May 2005 - 12:14 PM

My friends computer is seriously fubar'd, here's the log
Logfile of HijackThis v1.99.1

Scan saved at 18:08:10, on 08/05/2005

Platform: Windows XP  (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Documents and Settings\default\My Documents\adam\Gmail Notifier\gnotify.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\ctfmon.exe

C:\wp.exe

C:\Program Files\Lexmark X125\LEX125SU.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\update\update.exe

C:\Documents and Settings\default\Desktop\HijackThis.exe



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\default\LOCALS~1\Temp\se.dll/spage.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\default\LOCALS~1\Temp\se.dll/spage.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;<local>

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-GB\MSNTB.DLL

O2 - BHO: (no name) - {D4C7534A-4B50-46E8-B99A-922497FB882F} - C:\WINDOWS\System32\geak.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-GB\MSNTB.DLL

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Documents and Settings\default\My Documents\adam\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [FX] C:\WINDOWS\Downloaded Program Files\ieloader.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\default\LOCALS~1\Temp\se.dll,DllInstall

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101AYGB

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Microsoft AntiSpyware helper - {D1374807-64D3-4BD1-BF61-F32845D26918} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D1374807-64D3-4BD1-BF61-F32845D26918} - (no file) (HKCU)

O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .swf: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin9.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Filter: text/html - {7DB977FA-C5D2-4934-A393-058476B49C3B} - C:\WINDOWS\System32\geak.dll

O18 - Filter: text/plain - {7DB977FA-C5D2-4934-A393-058476B49C3B} - C:\WINDOWS\System32\geak.dll

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
Cheers in advance!

BC AdBot (Login to Remove)

 


#2 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:01:39 PM

Posted 09 May 2005 - 08:23 AM

Hi Welcome to BC

Download SpSeHJfix to your desktop; be sure to download the one that's appropriate for your operating system.

1) Click "Start Disinfection".

-

Be sure to post the log created by the SpSeHjfix cleanup tool, along with any other logs requested after completing this solution.
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#3 biffta

biffta
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 09 May 2005 - 01:08 PM

here is the logfile
(5/9/05 17:11:00) SPSeHjFix started v1.1.2

(5/9/05 17:11:00) OS: WinXP  (5.1.2600)

(5/9/05 17:11:00) Language: english

(5/9/05 17:11:00) Win-Path: C:\WINDOWS

(5/9/05 17:11:00) System-Path: C:\WINDOWS\System32

(5/9/05 17:11:00) Temp-Path: C:\DOCUME~1\default\LOCALS~1\Temp\

(5/9/05 17:12:01) Disinfection started

(5/9/05 17:12:01) Bad-Dll(IEP): c:\docume~1\default\locals~1\temp\se.dll

(5/9/05 17:12:01) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\System32\geak.dll

(5/9/05 17:12:01) Searchassistant Uninstaller - Keys Deleted

(5/9/05 17:12:01) UBF: 6 - UBB: 4 - UBR: 10

(5/9/05 17:12:01) FilterKey: HKCR\text/html (deleted)

(5/9/05 17:12:01) FilterKey: HKCR\CLSID\{02F1D656-3358-4DCA-ACEB-9AC11B214739} (deleted)

(5/9/05 17:12:01) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)

(5/9/05 17:12:01) FilterKey: HKCR\text/plain (deleted)

(5/9/05 17:12:01) FilterKey: HKCR\CLSID\{02F1D656-3358-4DCA-ACEB-9AC11B214739} (error while deleting)

(5/9/05 17:12:01) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)

(5/9/05 17:12:01) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5A3B229A-DC73-47F4-95B4-C352A5F16C3E} (deleted)

(5/9/05 17:12:01) BHO-Key: HKCR\CLSID\{5A3B229A-DC73-47F4-95B4-C352A5F16C3E} (deleted)

(5/9/05 17:12:01) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\default\LOCALS~1\Temp\se.dll,DllInstall (deleted)

(5/9/05 17:12:01) UBF: 4 - UBB: 3 - UBR: 9

(5/9/05 17:12:01) Bad IE-pages:

deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\default\locals~1\temp\se.dll/spage.html
And i also have a log from something called spyware nuker that came along with it
Version: 3.04.20.1

Definition Database Date: 5/4/2005 11:05:44 AM

OS version: Windows XP 5.1.2600 []

Web Browser Version: IE:6.0.2600.0000;FF:1.0.3 (en-US);

Date/Time: 05/09/2005 17:48:42



24/7 RealMedia - Cookie  960  A cookie that is shared among websites to track your web surfing habits.

Cookie  55877  cookies.txt: ing010m

Cookie  55877  cookies.txt: RMID



2o7 - Cookie  669  A cookie that is shared among websites to track your web surfing habits.

Cookie  33236  default@112.2o7[1].txt: s_vi_wdffj

Cookie  33236  cookies.txt: s_vi_atamox7Ecaihem

Cookie  33236  cookies.txt: s_vi_wdffj



A Better Internet - Adware  777  Displays popup advertisements. Installs secretly. Bundled with other applications.

Registry Value  47716  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar:{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}



AdRevolver - Cookie  962  A cookie that is shared among websites to track your web surfing habits.

Cookie  55880  cookies.txt: adrevid

Cookie  55880  cookies.txt: prefs

Cookie  55880  cookies.txt: uid



Altnet (B3D Projector) - Adware  745  Downloads programs in the background. Causes 3D animations and animated ads to appear in web browser. Also tracks users web browsing habits and logs IP addresses.

Registry Key  46017  HKEY_CLASSES_ROOT\AppID\adm.EXE

Registry Key  52031  HKEY_CLASSES_ROOT\AppID\Altnet Signing Module.EXE

Registry Value  52032  HKEY_CLASSES_ROOT\AppID\Altnet Signing Module.EXE:AppID

Folder  55454  C:\WINDOWS\Temp\Altnet

File  55462  C:\WINDOWS\Temp\Altnet\atl.dll



aQuantive - Cookie  978  A cookie that is shared among websites to track your web surfing habits.

Cookie  2354  cookies.txt: AA002



Bluestreak - Cookie  819  A cookie that is shared among websites to track your web surfing habits.

Cookie  49880  cookies.txt: id



Burst - Cookie  967  A cookie that is shared among websites to track your web surfing habits.

Cookie  55886  default@burstnet[2].txt: TData

Cookie  55886  default@burstnet[3].txt: TData

Cookie  55885  default@www.burstbeacon[1].txt: /BC

Cookie  55886  cookies.txt: TID



CWS.About_Blank - Hijacker  886  Hijacks browser homepage and search settings to a search portal. Can silently download and execute files.

File  886  C:\Program Files\Microsoft AntiSpyware\Quarantine\12327D20-2E03-419C-A4DF-CE4CCB\1304B024-F57F-4D1A-86DB-0B2205



CWS.Wnim - Hijacker  928  Hijacks browser settings. Lowers internet security by reducing IE security and zone settings. Downloads other software and periodically displays pop-up ads from adult sites.

Registry Value  54535  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3:1406:0

Registry Value  54535  HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3:1406:0

Registry Value  54535  HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3:1406:0

Registry Value  54535  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3:1406:0

Registry Value  54535  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3:1406:0



DoubleClick - Cookie  446  A cookie that is shared among websites to track your web surfing habits.

Cookie  2378  cookies.txt: id



EyeBlaster - Cookie  979  A cookie that is shared among websites to track your web surfing habits.

Cookie  55898  default@serving-sys[2].txt: CampaignOnPublisherInfo

Cookie  55898  default@serving-sys[3].txt: CampaignOnPublisherInfo

Cookie  55898  cookies.txt: FlightInfo

Cookie  55898  cookies.txt: AdInfo

Cookie  55898  cookies.txt: CampaignInfo

Cookie  55898  cookies.txt: CampaignOnPublisherInfo



GAIN - Adware  618  Bundled with DashBar, Date Manager, Precision Time, Gator eWallet, Weatherscope, and Search Scout. Records and reports internet browsing activities. Displays popup ads. Tracks you by a computer id, unique user id, and your location among other data.

Registry Key  14186  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\GAIN Publishing

Folder  11233  C:\Documents and Settings\All Users\Start Menu\Programs\GAIN Publishing

File  11238  C:\Documents and Settings\default\Local Settings\Temp\bundle.inf



HitBox - Cookie  447  A cookie that is shared among websites to track your web surfing habits.

Cookie  2382  cookies.txt: DM530528JGAVV6

Cookie  2382  cookies.txt: WSS_GW

Cookie  2382  cookies.txt: CTG

Cookie  2382  cookies.txt: DM53111942ZMV6

Cookie  2382  cookies.txt: DM521023O5CBV6

Cookie  2382  cookies.txt: DM521004BGZNV6

Cookie  2382  cookies.txt: DM5504206KMAV6



Httper - Hijacker  842  BHO that hijacks the defualt error page and search settings. It re-directs any web server's error page to an ad pop-up or marsfind.com search result page. Periodically displays pop-up ads from ad.doubleclick.net.

Cookie  50681  default@e.rn11[2].txt: ad



HumanClick - Cookie  670  A cookie that is shared among websites to track your web surfing habits.

Cookie  33239  default@16641365[2].txt: HumanClickKEY

Cookie  33239  cookies.txt: HumanClickKEY

Cookie  33239  cookies.txt: HumanClickID



IEPlugin - Downloader  740  Installs a web search toolbar in Windows and in the internet browser. Changes browser search settings and Downloads other software that displays pop-up ads and offers.

Registry Key  44901  HKEY_USERS\.DEFAULT\Software\intexp

Registry Key  44901  HKEY_USERS\S-1-5-19\Software\intexp

Registry Key  44901  HKEY_USERS\S-1-5-20\Software\intexp

Registry Key  44901  HKEY_USERS\S-1-5-18\Software\intexp

File  44521  C:\WINDOWS\kwv2.dat



Kazaa - Bundleware  953  Bundles adware programs and reinstalls them after they have been removed.

Registry Key  55497  HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}

Registry Key  55569  HKEY_LOCAL_MACHINE\SOFTWARE\Kazaa

Registry Key  55573  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\D:\InstallShield\Kazaa

Registry Key  55590  HKEY_LOCAL_MACHINE\SOFTWARE\Sharman Networks Ltd

Registry Key  55592  HKEY_CURRENT_USER\Software\AppConf

Registry Key  55594  HKEY_USERS\.DEFAULT\Software\Kazaa

Registry Key  55594  HKEY_USERS\S-1-5-19\Software\Kazaa

Registry Key  55594  HKEY_USERS\S-1-5-20\Software\Kazaa

Registry Key  55594  HKEY_CURRENT_USER\Software\Kazaa

Registry Key  55594  HKEY_USERS\S-1-5-18\Software\Kazaa

Folder  55422  C:\Program Files\Kazaa

Folder  55428  C:\Program Files\Kazaa\BGP2P

Folder  55464  C:\WINDOWS\Temp\BullGuard

File  55465  C:\WINDOWS\Temp\BullGuard\bulldownload.exe



MediaPlex - Cookie  448  A cookie that is shared among websites to track your web surfing habits.

Cookie  2383  cookies.txt: svid



MyWay, MySearch, MyWebSearch Toolbar - Trackware  610  Search toolbar that records your searches. Reports when you open your browser. Tracks individuals using cookies. Bundled with various free applications.

Registry Key  24231  HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}

Registry Key  24279  HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}

Registry Value  24582  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search:(Default):http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101AYGB

File  24187  C:\WINDOWS\System32\f3PSSavr.scr

Folder  7435  C:\Program Files\MyWay

Cookie  24105  default@mywebsearch[2].txt: ptnrP

Cookie  24105  cookies.txt: d

Cookie  24105  cookies.txt: ti

Cookie  24105  cookies.txt: search

Cookie  24105  cookies.txt: UID

Cookie  24105  cookies.txt: fl

Cookie  24105  cookies.txt: uu

Cookie  24105  cookies.txt: id

Cookie  24105  cookies.txt: ptnrP



P2P Networking - Trojan  666  Communicates with controlling server via port 3531. Comes bundled with other applications.

Registry Key  33025  HKEY_LOCAL_MACHINE\SOFTWARE\P2P Networking

Registry Key  50146  HKEY_USERS\.DEFAULT\Software\P2P Networking

Registry Key  50146  HKEY_USERS\S-1-5-19\Software\P2P Networking

Registry Key  50146  HKEY_USERS\S-1-5-20\Software\P2P Networking

Registry Key  50146  HKEY_USERS\S-1-5-18\Software\P2P Networking

File  50132  C:\Documents and Settings\default\Local Settings\Temp\p2psetup.exe



ShopNav - Adware  627  Hijacks your browser search pages. Displays popup advertising.

Registry Value  47720  HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchUrl:(Default):websearch.drsnsrch.com/q.cgi?q=

Registry Value  47720  HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchUrl:(Default):websearch.drsnsrch.com/q.cgi?q=

Registry Value  47722  HKEY_USERS\.DEFAULT\Software\Microsoft\Search Assistant:DefaultSearchURL:http://websearch.drsnsrch.com/q.cgi?q=

Registry Value  47722  HKEY_USERS\S-1-5-19\Software\Microsoft\Search Assistant:DefaultSearchURL:http://websearch.drsnsrch.com/q.cgi?q=

Registry Value  47722  HKEY_USERS\S-1-5-20\Software\Microsoft\Search Assistant:DefaultSearchURL:http://websearch.drsnsrch.com/q.cgi?q=

Registry Value  47722  HKEY_CURRENT_USER\Software\Microsoft\Search Assistant:DefaultSearchURL:http://websearch.drsnsrch.com/q.cgi?q=

Registry Value  47722  HKEY_USERS\S-1-5-18\Software\Microsoft\Search Assistant:DefaultSearchURL:http://websearch.drsnsrch.com/q.cgi?q=

Registry Value  48342  HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\SearchUrl:(Default):websearch.drsnsrch.com/q.cgi?q=

Registry Value  48342  HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\SearchUrl:(Default):websearch.drsnsrch.com/q.cgi?q=

Registry Value  48345  HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main:Search Page:http://websearch.drsnsrch.com/sidesearch.cgi?id=

Registry Value  48345  HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main:Search Bar:http://websearch.drsnsrch.com/sidesearch.cgi?id=

Registry Value  48345  HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main:Search Page:http://websearch.drsnsrch.com/sidesearch.cgi?id=

Registry Value  48345  HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main:Search Bar:http://websearch.drsnsrch.com/sidesearch.cgi?id=

Cookie  16451  default@S130343[1].txt: wtl130343

Cookie  16451  default@S113245[2].txt: wtl113245

Cookie  16451  default@shopnav[2].txt: UID

Cookie  16451  cookies.txt: wtl130343

Cookie  16451  cookies.txt: wtl113245

Cookie  16451  cookies.txt: UID



TPS108 - Adware  705  Displays targeted advertising while surfing the web.

Cookie  54319  default@offeroptimizer[1].txt: OASISID

Cookie  54319  default@xads.offeroptimizer[2].txt: WIDYMD

Cookie  54319  default@offeroptimizer[2].txt: OASISID

Cookie  54319  default@xadsq.offeroptimizer[1].txt: AdComPop202035

Cookie  54319  default@offeroptimizer[3].txt: OASISID

Cookie  54319  cookies.txt: OASISID



Tribal Fusion - Cookie  816  A cookie that is shared among websites to track your web surfing habits.

Cookie  49877  cookies.txt: ANON_ID


#4 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:01:39 PM

Posted 09 May 2005 - 03:36 PM

Can i see another hjt log please
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD

#5 biffta

biffta
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:39 PM

Posted 10 May 2005 - 12:07 PM

As requested
                                                                                                                                                                                                                                                              

Logfile of HijackThis v1.99.1

Scan saved at 18:00:50, on 10/05/2005

Platform: Windows XP  (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE

C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Documents and Settings\default\My Documents\adam\Gmail Notifier\gnotify.exe

C:\Program Files\Spyware Nuker 2004\swn2.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Lexmark X125\LEX125SU.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\ntl\broadband medic\bin\mpbtn.exe

C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\wuauclt.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\default\Desktop\HijackThis.exe



R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;<local>

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-GB\MSNTB.DLL

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-GB\MSNTB.DLL

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [LMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Documents and Settings\default\My Documents\adam\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe

O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101AYGB

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Microsoft AntiSpyware helper - {D1374807-64D3-4BD1-BF61-F32845D26918} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D1374807-64D3-4BD1-BF61-F32845D26918} - (no file) (HKCU)

O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .swf: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin9.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


#6 Lobos

Lobos

  • Members
  • 317 posts
  • OFFLINE
  •  
  • Location:California USA
  • Local time:01:39 PM

Posted 10 May 2005 - 03:08 PM

i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccuring in the future.


===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

MyWebSearch

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxuk101AYGB

O9 - Extra button: Microsoft AntiSpyware helper - {D1374807-64D3-4BD1-BF61-F32845D26918} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D1374807-64D3-4BD1-BF61-F32845D26918} - (no file) (HKCU)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Post back a new log, and let me know how everything goes.

-

Lobos.
<span style='color:blue'>Ad-Aware SE</span> | Spybot S&D 1.4

For extra protection try spyware blaster

<span style='color:blue'>If you use IE I suggest using these two programs</span> MVPHosts & IE-SPYAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users