Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

First Time Hijackthis User


  • Please log in to reply
2 replies to this topic

#1 John Sapp

John Sapp

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:10:53 PM

Posted 28 June 2005 - 09:07 AM

Accountant, 26yo, Jacksonville, FL. Trying to fix my parents' computer. I've run S&D and AdAware many times, and I did just now before running HijackThis. Some annoying items that won't die are Xuron55 and AVGold; and I'm sure there's tons more. Thanks for looking my log over; you guys are great!

Logfile of HijackThis v1.99.1
Scan saved at 10:00:34 AM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\inet20057\services.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\System32\shnlog.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\popcorn128.exe
C:\WINDOWS\winsocks5.exe
C:\Program Files\AntivirusGold\AntivirusGold.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\hookdump.exe
C:\Program Files\AntivirusGold\AntivirusGold.exe
c:\windows\system32\qgojfef.exe
C:\WINDOWS\System32\intmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nzouz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F3 - REG:win.ini: run=C:\WINDOWS\inet20057\services.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp3BEF.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn128.exe rundll.dll,LoadMouseCarpetProfile
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20057\services.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [prberqe] c:\windows\system32\qgojfef.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20057\services.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {085C6F63-E383-4CE2-85B5-E413855962F7} - (no file) (HKCU)
O9 - Extra button: (no name) - {08A3638B-0FC2-4A95-8A55-877C1616D6B3} - (no file) (HKCU)
O9 - Extra button: (no name) - {0DB4AFE4-DEA2-4053-94AA-C4001CBA0BF7} - (no file) (HKCU)
O9 - Extra button: (no name) - {14E97ACC-9A34-44E6-928E-1DA267CD0098} - (no file) (HKCU)
O9 - Extra button: (no name) - {3FD54D79-8A1C-4FAB-A7FF-EFD510CBF132} - C:\WINDOWS\System32\credui511h392o.dll (file missing) (HKCU)
O9 - Extra button: (no name) - {4275DE7A-5C94-40D3-B784-E4ACDA2C48B9} - (no file) (HKCU)
O9 - Extra button: (no name) - {792BB8B7-585D-494F-BDEB-39A952A2E534} - (no file) (HKCU)
O9 - Extra button: (no name) - {7C3093A2-C87D-4A72-9330-E6A95EA59655} - (no file) (HKCU)
O9 - Extra button: (no name) - {94934126-C0E0-40EF-9B11-F2DBBDC069AD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9594E1A7-4CB5-4E25-A6C9-07C298E82DAC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9594E1A7-4CB5-4E25-A6C9-07C298E82DAC} - (no file) (HKCU)
O9 - Extra button: (no name) - {A0C2A2D4-55FF-48FA-99C8-8454A67C0751} - C:\WINDOWS\System32\wmvcore2615n.dll (file missing) (HKCU)
O9 - Extra button: (no name) - {A71A0523-0176-4A04-901C-37194042E33E} - (no file) (HKCU)
O9 - Extra button: (no name) - {A8000DE5-D0A1-4419-8090-F121914AC286} - (no file) (HKCU)
O9 - Extra button: (no name) - {AEE9531D-8DC9-40C9-8780-9744C17405AA} - (no file) (HKCU)
O9 - Extra button: (no name) - {B10F2625-3B34-4C74-81B0-77A043DE6E63} - (no file) (HKCU)
O9 - Extra button: (no name) - {BC500C7B-1917-4798-A61F-0159EA53528A} - (no file) (HKCU)
O9 - Extra button: (no name) - {C4773F67-7300-4BE6-82D5-9E3265A2C084} - (no file) (HKCU)
O9 - Extra button: (no name) - {CD434103-07FF-4DE7-8D8D-9ACA9073DE49} - (no file) (HKCU)
O9 - Extra button: (no name) - {DB5A3AFB-D300-4691-B709-AB74BEB06A43} - C:\WINDOWS\System32\ir50_qc123i420h.dll (file missing) (HKCU)
O9 - Extra button: (no name) - {DD72AD34-0937-4FE3-BB19-4B722BAE6F69} - C:\WINDOWS\System32\upnp1068r.dll (file missing) (HKCU)
O9 - Extra button: (no name) - {E08B9920-F9E4-435B-BD44-37D17E072D2C} - C:\WINDOWS\System32\INLOADER233s.dll (file missing) (HKCU)
O9 - Extra button: (no name) - {E8E17B76-F0BC-4D7F-88F1-CF7AD759C07F} - (no file) (HKCU)
O9 - Extra button: (no name) - {F14852E7-8AA1-487E-9573-AD694DBCF84A} - (no file) (HKCU)
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...nt/3dstock.html
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Owner\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/297b9b1fbf63e9fdc704/...ip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab8/dmcc2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FB2961FD-DD24-4F8A-8A92-6F9325FF6F11} - http://www.supaseek.com/toolbar/toolbar.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab36385.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


m

#2 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:53 AM

Posted 28 June 2005 - 04:20 PM

Welcome John Sapp to Bleeping Computer.

That's a fine collection you have there :thumbsup: .

Let's see if we can that it on in one blow.

First, let's download some helpers.
Please download and install these programs - don't run them yet!!

Download CWShredder.

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
***

Download 'SpSeHjfix' to the desktop.
Rightclick a blank part of the desktop and select new folder, call it ‘spfix’.
Unzip the file into that folder.

***

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
***

Download and unzip cwsserviceremove to your desktop. use either link below:
http://computercops.biz/modules.php?name=F...ownload&id=3002
http://www.mytechsupport.ca/helpwithpcs/up...rviceremove.zip

***

Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program.

***

Download and install CleanUp! Here
If that doesn’t work, use this link.
Here is a tutorial which describes its usage:
http://www.bleepingcomputer.com/tutorials/how-to-use-cleanup/

***

download the Killbox.
Unzip it to the desktop but do NOT run it yet.

***

Please download Nailfix from here:
http://www.noidea.us/easyfile/file.php?dow...050515010747824
Unzip it to the desktop but please do NOT run it yet.

***

Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the update are installed, close Ewido for now.

***

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Don't run it yet.

***

If you have not already installed Ad-Aware SE 1.06, please download and install AdAware SE 1.06.
Check Here on how setup and use it - please make sure you update it first.
Don't scan yet.

Now we have our helpers, I'll prepare an advise.

I'll be back.

Edited by g2i2r4, 28 June 2005 - 04:21 PM.



Posted Image
Life is what happens while you're making other plans

#3 g2i2r4

g2i2r4

    Malware remover


  • Members
  • 900 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:05:53 AM

Posted 28 June 2005 - 04:51 PM

Please read these instructions carefully. You may want to print them.
We will do most work in safe mode.
Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!



Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Power Manager
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

***

Open HijackThis to the misc tools section and click the Delete an NT Sevice button.
Paste in:
PowerManager
and click OK.
Close HijackThis.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml

***

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix' and click on "Start Disinfection".
When it's finished it will reboot your computer to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers, it will say system clean and not go on to next stage.

***

Now run the CWShredder - Hit The FIX button!

***

Run AboutBuster. This will scan your computer for the bad files and delete them.
Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

***

Please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

***

Run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\hp3BEF.tmp
C:\WINDOWS\System32\popcorn128.exe
C:\WINDOWS\winsocks5.exe
c:\windows\system32\qgojfef.exe
C:\WINDOWS\inet20057\services.exe
C:\WINDOWS\System32\ir50_qc123i420h.dll
C:\WINDOWS\System32\upnp1068r.dll
C:\WINDOWS\System32\INLOADER233s.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

if the copy and paste option isn't working right, paste the files in one by one. Do not reboot untill the last file is in

Reboot back to safe mode.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake. Some entries may already be gone, due to the previously taken steps.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicksearches.com/bar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nzouz.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicksearches.com/search.php?qq=%1

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicksearches.com/search.php?qq=%1

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicksearches.com/search.php?qq=%1

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

F3 - REG:win.ini: run=C:\WINDOWS\inet20057\services.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} -
C:\WINDOWS\System32\hp3BEF.tmp

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn128.exe rundll.dll,LoadMouseCarpetProfile

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20057\services.exe

O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe

O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\winsocks5.exe

O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h

O4 - HKLM\..\Run: [prberqe] c:\windows\system32\qgojfef.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll,DllInstall

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20057\services.exe

O9 - Extra button: (no name) - {085C6F63-E383-4CE2-85B5-E413855962F7} - (no file) (HKCU)

O9 - Extra button: (no name) - {08A3638B-0FC2-4A95-8A55-877C1616D6B3} - (no file) (HKCU)

O9 - Extra button: (no name) - {0DB4AFE4-DEA2-4053-94AA-C4001CBA0BF7} - (no file) (HKCU)

O9 - Extra button: (no name) - {14E97ACC-9A34-44E6-928E-1DA267CD0098} - (no file) (HKCU)

O9 - Extra button: (no name) - {3FD54D79-8A1C-4FAB-A7FF-EFD510CBF132} - C:\WINDOWS\System32\credui511h392o.dll (file missing) (HKCU)

O9 - Extra button: (no name) - {4275DE7A-5C94-40D3-B784-E4ACDA2C48B9} - (no file) (HKCU)

O9 - Extra button: (no name) - {792BB8B7-585D-494F-BDEB-39A952A2E534} - (no file) (HKCU)

O9 - Extra button: (no name) - {7C3093A2-C87D-4A72-9330-E6A95EA59655} - (no file) (HKCU)

O9 - Extra button: (no name) - {94934126-C0E0-40EF-9B11-F2DBBDC069AD} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {9594E1A7-4CB5-4E25-A6C9-07C298E82DAC} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9594E1A7-4CB5-4E25-A6C9-07C298E82DAC} - (no file) (HKCU)

O9 - Extra button: (no name) - {A0C2A2D4-55FF-48FA-99C8-8454A67C0751} - C:\WINDOWS\System32\wmvcore2615n.dll (file missing) (HKCU)

O9 - Extra button: (no name) - {A71A0523-0176-4A04-901C-37194042E33E} - (no file) (HKCU)

O9 - Extra button: (no name) - {A8000DE5-D0A1-4419-8090-F121914AC286} - (no file) (HKCU)

O9 - Extra button: (no name) - {AEE9531D-8DC9-40C9-8780-9744C17405AA} - (no file) (HKCU)

O9 - Extra button: (no name) - {B10F2625-3B34-4C74-81B0-77A043DE6E63} - (no file) (HKCU)

O9 - Extra button: (no name) - {BC500C7B-1917-4798-A61F-0159EA53528A} - (no file) (HKCU)

O9 - Extra button: (no name) - {C4773F67-7300-4BE6-82D5-9E3265A2C084} - (no file) (HKCU)

O9 - Extra button: (no name) - {CD434103-07FF-4DE7-8D8D-9ACA9073DE49} - (no file) (HKCU)

O9 - Extra button: (no name) - {DB5A3AFB-D300-4691-B709-AB74BEB06A43} - C:\WINDOWS\System32\ir50_qc123i420h.dll (file missing) (HKCU)

O9 - Extra button: (no name) - {DD72AD34-0937-4FE3-BB19-4B722BAE6F69} - C:\WINDOWS\System32\upnp1068r.dll (file missing) (HKCU)

O9 - Extra button: (no name) - {E08B9920-F9E4-435B-BD44-37D17E072D2C} - C:\WINDOWS\System32\INLOADER233s.dll (file missing) (HKCU)

O9 - Extra button: (no name) - {E8E17B76-F0BC-4D7F-88F1-CF7AD759C07F} - (no file) (HKCU)

O9 - Extra button: (no name) - {F14852E7-8AA1-487E-9573-AD694DBCF84A} - (no file) (HKCU)

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...nt/3dstock.html

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} -

O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Owner\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/297b9b1fbf63e9fdc704/...ip/RdxIE601.cab

O16 - DPF: {FB2961FD-DD24-4F8A-8A92-6F9325FF6F11} - http://www.supaseek.com/toolbar/toolbar.cab

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

***

Open Ad-aware and do a full scan. Remove all it finds.

***

Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

***

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

***

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it’s done, press Close.
Reboot your computer into normal windows.

***

Run this online virus scan: ActiveScan - Save the results from the scan!

***

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.


Posted Image
Life is what happens while you're making other plans




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users