Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New at forums, need help with hijack log.


  • Please log in to reply
16 replies to this topic

#1 IslandFireEx

IslandFireEx

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 16 June 2005 - 05:17 PM

Can you take a look at my log please. My computer has all sorts of weird command prompts showing up at startup. I heard about these forums through a friend and have decided to check them out.

Here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 3:14:40 PM, on 16-Jun-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\winnt\System32\smss.exe
E:\winnt\system32\winlogon.exe
E:\winnt\system32\services.exe
E:\winnt\system32\lsass.exe
E:\winnt\system32\svchost.exe
E:\winnt\System32\svchost.exe
E:\winnt\Explorer.EXE
E:\winnt\Mixer.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\kdx\KHost.exe
E:\Program Files\Trend Micro\Internet Security Setup\pccguide.exe
E:\Program Files\Trend Micro\Internet Security Setup\PCClient.exe
E:\Program Files\Trend Micro\Internet Security Setup\TMOAgent.exe
E:\winnt\system32\rundll32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\SV26\PROGRAM\PICPRTR.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Exif Launcher\QuickDCF.exe
E:\Palm\HOTSYNC.EXE
D:\Program Files\WinZip\WZQKPICK.EXE
E:\SV26\PROGRAM\PICSERV.EXE
E:\winnt\system32\slserv.exe
E:\Program Files\Trend Micro\Internet Security Setup\Tmntsrv.exe
E:\Program Files\Trend Micro\Internet Security Setup\tmproxy.exe
E:\Program Files\Trend Micro\Internet Security Setup\PccPfw.exe
E:\winnt\system32\spoolsv.exe
C:\Program Files\WinFax\WFXMOD32.EXE
E:\winnt\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRA~1\WINZIP\winzip32.exe
E:\Documents and Settings\fireex\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe,C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: E:\WINNT\lbbho.dll - {7526127F-CACE-40CC-B2BC-FAEAA5BBBB08} - E:\WINNT\lbbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [kdx] E:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [pccguide.exe] "E:\Program Files\Trend Micro\Internet Security Setup\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Program Files\Trend Micro\Internet Security Setup\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Program Files\Trend Micro\Internet Security Setup\TMOAgent.exe" /run
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [PICPRTR] E:\SV26\PROGRAM\PICPRTR.EXE
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: winstart.bat
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\WinFax\WTNSETUP.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Palm\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with Go!Zilla - file://D:\PROGRA~1\GO!ZILLA\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - E:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - E:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/201bd8b53a80e703b923/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/Software/PCSoftwar...330C/isetup.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: Pacific Image Comm. Fax Server - Unknown owner - E:\SV26\PROGRAM\PICSERV.EXE
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\PccPfw.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - E:\winnt\SYSTEM32\slserv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\tmproxy.exe


Thanks for your help

BC AdBot (Login to Remove)

 


#2 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 16 June 2005 - 06:40 PM

If there is anything else I can do just ask :thumbsup:

#3 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 16 June 2005 - 07:49 PM

oldtimer:

My friend said you were good and helped him, give this a try.

My computer monitor starts to flash also and then I have to hard reboot.
When I get started in fixing the problems there's more.


Thanks in advance.

#4 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:06 AM

Posted 17 June 2005 - 03:23 PM

Welcome IslandFireEx to Bleeping Computer.

Is it OK if I give it a go?

I suggest you remove NewDotNet unless you deliberately installed it. It is extremely dubious and commercially sponsored:

First, please open Add/Remove programs and uninstall New.Net or NewDotNet from there if listed. If it is not listed, follow these instructions:

· From a computer that has Internet access, click on the following link:
http://www.new.net/support/uninstall6_76.exe.
· Download and save uninstall6_76.exe to Local Disc C
· Click on Start.
· Click on Run.
· In the Open window type, C:\uninstall6_76.exe.
· Click on the OK button.
· After removal, you may be prompted to reboot. Please reboot if not prompted.

Post back a fresh log using HijackThis please.


Posted Image
Life is what happens while you're making other plans

#5 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 17 June 2005 - 05:20 PM

I removed it from add/remove programs.

Here is my new log from hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 3:19:33 PM, on 17-Jun-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\winnt\System32\smss.exe
E:\winnt\system32\winlogon.exe
E:\winnt\system32\services.exe
E:\winnt\system32\lsass.exe
E:\winnt\system32\svchost.exe
E:\winnt\System32\svchost.exe
E:\winnt\Explorer.EXE
E:\winnt\system32\spoolsv.exe
E:\winnt\system32\nvsvc32.exe
E:\winnt\system32\slserv.exe
E:\Program Files\Trend Micro\Internet Security Setup\Tmntsrv.exe
E:\Program Files\Trend Micro\Internet Security Setup\tmproxy.exe
E:\Program Files\Trend Micro\Internet Security Setup\PccPfw.exe
E:\winnt\system32\wuauclt.exe
E:\winnt\Mixer.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\kdx\KHost.exe
E:\Program Files\Trend Micro\Internet Security Setup\pccguide.exe
E:\Program Files\Trend Micro\Internet Security Setup\PCClient.exe
E:\Program Files\Trend Micro\Internet Security Setup\TMOAgent.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\winnt\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\winnt\system32\rundll32.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Exif Launcher\QuickDCF.exe
E:\Palm\HOTSYNC.EXE
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\WinFax\WFXMOD32.EXE
E:\winnt\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\fireex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe,C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: E:\WINNT\lbbho.dll - {7526127F-CACE-40CC-B2BC-FAEAA5BBBB08} - E:\WINNT\lbbho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kdx] E:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [pccguide.exe] "E:\Program Files\Trend Micro\Internet Security Setup\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Program Files\Trend Micro\Internet Security Setup\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Program Files\Trend Micro\Internet Security Setup\TMOAgent.exe" /run
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [PICPRTR] E:\SV26\PROGRAM\PICPRTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\winnt\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\winnt\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: winstart.bat
O4 - Global Startup: Configuration Wizard.lnk = C:\Program Files\WinFax\WTNSETUP.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Palm\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with Go!Zilla - file://D:\PROGRA~1\GO!ZILLA\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - E:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - E:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/201bd8b53a80e703b923/...ip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/Software/PCSoftwar...330C/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\winnt\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\PccPfw.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - E:\winnt\SYSTEM32\slserv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\tmproxy.exe

#6 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:06 AM

Posted 17 June 2005 - 05:39 PM

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

F2 - REG:system.ini: UserInit=E:\WINNT\system32\userinit.exe,C:\WINNT\system32\userinit.exe,

O2 - BHO: E:\WINNT\lbbho.dll - {7526127F-CACE-40CC-B2BC-FAEAA5BBBB08} - E:\WINNT\lbbho.dll

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - E:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - E:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/201bd8b53a80e703b923/...ip/RdxIE601.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

Grant permission to Spybot for the changes.

How are things now?


Posted Image
Life is what happens while you're making other plans

#7 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 17 June 2005 - 07:49 PM

Here is the new hijackthis log and I didn't quite know what "grant permissin to spyboot for the changes" but ran spyboot.

When this was done I tryed to remove what spyboot came up with and got this warning.

Some problems couldn't be fixed the reason could be that the associated files are still in use (in memory).
May spyboot.S&D run on your next system start up?


I said yes computer rebooted and spyboot ran and the same warning came up.




Logfile of HijackThis v1.99.1
Scan saved at 5:40:06 PM, on 17-Jun-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\winnt\System32\smss.exe
E:\winnt\system32\winlogon.exe
E:\winnt\system32\services.exe
E:\winnt\system32\lsass.exe
E:\winnt\system32\svchost.exe
E:\winnt\System32\svchost.exe
E:\winnt\system32\spoolsv.exe
E:\winnt\Explorer.EXE
E:\winnt\system32\nvsvc32.exe
E:\winnt\System32\svchost.exe
E:\Program Files\Trend Micro\Internet Security Setup\Tmntsrv.exe
E:\Program Files\Trend Micro\Internet Security Setup\tmproxy.exe
E:\Program Files\Trend Micro\Internet Security Setup\PccPfw.exe
E:\winnt\Mixer.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Trend Micro\Internet Security Setup\pccguide.exe
E:\Program Files\Trend Micro\Internet Security Setup\PCClient.exe
E:\Program Files\Trend Micro\Internet Security Setup\TMOAgent.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\winnt\system32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
E:\winnt\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
E:\Palm\HOTSYNC.EXE
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Documents and Settings\fireex\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca/start/enca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pccguide.exe] "E:\Program Files\Trend Micro\Internet Security Setup\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "E:\Program Files\Trend Micro\Internet Security Setup\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "E:\Program Files\Trend Micro\Internet Security Setup\TMOAgent.exe" /run
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PICPRTR] E:\SV26\PROGRAM\PICPRTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\winnt\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\winnt\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: winstart.bat
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Palm\HOTSYNC.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with Go!Zilla - file://D:\PROGRA~1\GO!ZILLA\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lowrance.com/Software/PCSoftwar...330C/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O18 - Protocol: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - C:\Program Files\Common Files\Intuit\intu-res.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\winnt\system32\nvsvc32.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\PccPfw.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\winnt\system32\hpzipm12.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - E:\Program Files\Trend Micro\Internet Security Setup\tmproxy.exe



Thanks :thumbsup:

#8 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:06 AM

Posted 18 June 2005 - 07:04 AM

Hmm the HijackThis log isn't showing anything anymore.

Download CleanUp!.
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, press Close. Reboot the system. This will remove files that were in use during the scan.

***

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed, close Ewido for now.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Once in safe mode, click the Ewido button on your desktop.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back the ewido.txt log file you saved.


Posted Image
Life is what happens while you're making other plans

#9 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 18 June 2005 - 12:39 PM

Here is the ewido.txt log you requested

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:29:51 AM, 18-Jun-2005
+ Report-Checksum: F91B059E

+ Date of database: 18-Jun-2005
+ Version of scan engine: v3.0

+ Duration: 97 min
+ Scanned Files: 126974
+ Speed: 21.80 Files/Second
+ Infected files: 13
+ Removed files: 13
+ Files put in quarantine: 13
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
F:\

+ Scan result:
C:\WINNT\system32\chktrust.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINNT\system32\NCP.EXE -> Trojan.BDMania -> Cleaned with backup
E:\Documents and Settings\fireex\Cookies\fireex@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
E:\Documents and Settings\fireex\Desktop\backups\backup-20050617-172430-391.dll -> Spyware.Neon.a -> Cleaned with backup
E:\Program Files\NewDotNet\newdotnet3_88.dll -> Spyware.NewDotNet -> Cleaned with backup
E:\Program Files\NewDotNet\uninstall3_88.exe -> Spyware.NewDotNet.C -> Cleaned with backup
E:\WINNT\autoload.exe -> Not-A-Virus.Tool.Autoloader -> Cleaned with backup
E:\WINNT\lbbho.dll -> Spyware.Neon.a -> Cleaned with backup
E:\WINNT\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
E:\WINNT\system32\chktrust.exe -> Spyware.Bargainbuddy -> Cleaned with backup
E:\WINNT\system32\NCP.EXE -> Trojan.BDMania -> Cleaned with backup
E:\WINNT\system32\NLNP13.dll -> Spyware.Igetnet -> Cleaned with backup
E:\WINNT\system32\rk.bin -> Spyware.MarketScore.k -> Cleaned with backup


::Report End

#10 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:06 AM

Posted 18 June 2005 - 12:57 PM

I want to be sure I'm leaving you behind with things you wouldn't want to have.

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your answer please.


Posted Image
Life is what happens while you're making other plans

#11 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 18 June 2005 - 02:39 PM

here is the information that you requested.

southparkmariobro2 cannot be deleted, says

f:\spm2\irunin.dat
fatal error: bad configfilename


Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
CAD Zone
CleanUp!
Corel PHOTO-PAINT 11
dBpowerAMP Music Converter
DivX 5.0.2 Pro Bundle
Documents To Go
DP Editor Ver.1.0
Elecard MPEG2 Decoder Package 2.0
ewido security suite
Exif Launcher Ver.1.1
Expert Guides Uninstall
FinePixViewer Ver.1.1
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
hp deskjet 940c series (Remove only)
hp LaserJet all-in-one
hp LaserJet-all-in-one
HP Software Update
Internet Client 2.4
iolo technologies' System Mechanic 5
Java 2 Runtime Environment Standard Edition v1.3.1_02
LaserAIO
LiveReg (Symantec Corporation)
Macromedia Shockwave Player
Media Station
Messenger Plus! 3
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2003 Resource Kit
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Mozilla Firefox (1.0.4)
MSN Messenger 7.0
National Fire Codes - 2002 May Meeting Edition
Network Play System (Patching)
NVIDIA Display Driver
NVIDIA Drivers
On Board
OrderReminder hp LaserJet 3015/3020/3030/3380
Paint Shop Pro 7 ESD
Palm Desktop
PCI Audio Driver
PHandler
PokerStars.net
PowerSpecs 4.0
QuickBooks Basic Edition 2005
QuickTax 2003 for Small Business
QuickTax 2004
QuickTax Tracker
QuickTime
Readiris Pro 9
RealPlayer
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Shockwave
southparkmariobro2
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
SpywareGuard v2.2
Tiger Gaming
Trend Micro Internet Security
VIA Rhine-Family Fast Ethernet Adapter
Webshots!
WinAce Archiver 2.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Related
Windows XP Service Pack 2
WinZip


:thumbsup:

#12 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:06 AM

Posted 18 June 2005 - 03:59 PM

southparkmariobro2 cannot be deleted, says

f:\spm2\irunin.dat
fatal error: bad configfilename


Were you trying to remove that one?


Posted Image
Life is what happens while you're making other plans

#13 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 18 June 2005 - 06:24 PM

Yes, I done know what it is

#14 IslandFireEx

IslandFireEx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 18 June 2005 - 06:25 PM

sorry

I don't know what it is

#15 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:04:06 AM

Posted 19 June 2005 - 05:23 AM

You were trying to uninstall 'southparkmariobro2'.

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
southparkmariobro2
Press ‘delete this entry’.
Close HijackThis.

I recommend updating Spybot 1.3 to version 1.4

Other than that this list isn't showing anything wrong.

How is the computer running now?


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users