Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bit of a novice here!


  • This topic is locked This topic is locked
28 replies to this topic

#1 CrispyDave

CrispyDave

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 29 September 2004 - 12:55 PM

Please Please help me!

I seem to have this awful problem of when I start up my PC and my Broadband is doing it's thing, I get sent onto these weird sites called Perky Nipz and another called just any domain (absoultly free pictures of bolloywood apparently)! I'm sure it's screwing my comp becasue sometimes it just freezes on the net. And i can't use my ctrl+alt+delete!!

I'm kinda worried that you will look at this log thing I got off the Hijack This and say "Goddam this is the worst one yet"!!!

Please bear in mind when you reply that although i use computers a lot through work and at home, when i comes to Trojans and Viruses, i'm lost....


Logfile of HijackThis v1.97.7
Scan saved at 18:47:39, on 29/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\WinServices.exe
C:\WINDOWS\System32\wserv32.exe
C:\PROGRA~1\Alcatel\SPEEDT~1\Dragdiag.exe
C:\WINDOWS\System32\wuam.exe
C:\PROGRA~1\iTunes\ITUNES~1.EXE
C:\PROGRA~1\WINDUP~1\WinUpdt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\NTFIRE~1.EXE
C:\CONNEC~1.EXE
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\PROGRA~1\Picasa\PICASA~1.EXE
C:\PROGRA~1\COMMON~1\Real\UPDATE~1\REALSC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WScript.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\DOCUME~1\DAVIDC~1\APPLIC~1\ssap.exe
C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
C:\PROGRA~1\Sony\OPENMG~1\Omgtray.exe
C:\PROGRA~1\DVSERI~1\Console\Watch.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\ZONEAL~1.EXE
C:\PROGRA~1\WINDUP~1\WinKA.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
C:\PROGRA~1\WEB_RE~1\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WEB_RE~1\WebRebates0.exe
C:\WINDOWS\System32\tcpsvs32.exe
C:\DOCUME~1\DAVIDC~1\LOCALS~1\TEMPOR~1\Content.IE5\PZ7RTPWE\HIJACK~1.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\PROGRA~1\OUTLOO~1\msimn.exe
C:\WINDOWS\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = java script:window.close()
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-huns-yellow-pages.com/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wethere.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://findloss.com/srchasst.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {27096EAC-E200-4085-BBF3-ED1E3992489D} - C:\WINDOWS\System32\mfplay.dll
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 51.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 51.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O4 - HKLM\..\Run: [P2P Networking4] C:\WINDOWS\System32\P2P Networking\P2P Networking4.exe /AUTOSTART
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [stevej.exe] C:\NTFIRE~1.EXE
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRA~1\WINDUP~1\WinUpdt.exe
O4 - HKLM\..\Run: [CONNEC~1.EXE] C:\CONNEC~1.EXE
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winduy32.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRA~1\WEB_RE~1\WebRebates0.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [WinServices] C:\WINDOWS\System32\WinServices.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Apmp] C:\Documents and Settings\David Crisp\Application Data\ssap.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Omg1to2.exe.lnk = ?
O4 - Global Startup: OpenMG Jukebox Startup.lnk = C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Search.vbs
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\PROGRA~1\WEB_RE~1\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...11a0351cafa03db
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://securegameloader.com/cont/sc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://instantsupport.europe.hp.com/awebui...SWebManager.CAB
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e52972...all/xscan53.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E65B894-C2E9-11D5-BCD3-00E018987519} - http://195.57.118.137/19/cabs/LIVE_CAMgb.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://194.158.29.50/activex/AxisCamControl.ocx
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8133.5917476852
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/minidialler/mddl/GB/910000_213206_.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...363/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn391.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn283.exe
O16 - DPF: {FFFF0003-4547-101A-A3C9-08002B2F49FB} - http://www.dikai.com/em-meuk.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC246F9E-F822-4A89-9130-3C5D2810DEA9}: NameServer = 194.74.65.85 194.72.9.55

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 29 September 2004 - 01:09 PM

Hi CrispyDave

Step 1: Download PrcView here: http://www.bleepingcomputer.com/files/pv.php and unzip it to the desktop as it will not work from within the zip file.
Step 2: Open up one Internet Explorer window.
Step 3: Go to the desktop and open the pv folder. Now double-click on the runme.bat
Step 4: A dos window will open. Select option 1 for explorer dll's by typing 1 and then pressing enter.
Step 5: A notepad will open with a log in it. Please copy and paste the log into a reply to this post.

You are running an outdated version of HijackThis.
Please download the latest version of HijackThis!: Download here 1.98.2
Save it in a permanent folder such as c:\hjt .
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 CrispyDave

CrispyDave
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 29 September 2004 - 01:18 PM

Hi Cyro,

Thanks for your prompt reply.

After clicking on the runme file, the dos file comes up, i select option one, hit enter, the notepad opens but no log appears?

Any thoughts?

Dave

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 29 September 2004 - 02:02 PM

I'm not surprised. I'll be back with the instructions to remove all the viruses, worms, elephants and crocodiles :thumbsup:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 29 September 2004 - 02:57 PM

Print these instructions because you are not able to access the Internet in SafeMode.

1. Please uninstall P2P Networking from Add\Remove Programs.

2. Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

3. Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

4. REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

5. Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = java script:window.close()
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-huns-yellow-pages.com/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\mfplay.dll/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wethere.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://findloss.com/srchasst.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch

O2 - BHO: (no name) - {27096EAC-E200-4085-BBF3-ED1E3992489D} - C:\WINDOWS\System32\mfplay.dll
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\EliteBar version 51.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 51.dll

O4 - HKLM\..\Run: [WinServices] C:\WINDOWS\System32\WinServices.exe
O4 - HKLM\..\Run: [P2P Networking3] C:\WINDOWS\System32\P2P Networking\P2P Networking3.exe /AUTOSTART
O4 - HKLM\..\Run: [P2P Networking4] C:\WINDOWS\System32\P2P Networking\P2P Networking4.exe /AUTOSTART
O4 - HKLM\..\Run: [SVCHOST] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\Run: [Microsoft Update] wserv32.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [stevej.exe] C:\NTFIRE~1.EXE
O4 - HKLM\..\Run: [WindUpdates] C:\PROGRA~1\WINDUP~1\WinUpdt.exe
O4 - HKLM\..\Run: [CONNEC~1.EXE] C:\CONNEC~1.EXE
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winduy32.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRA~1\WEB_RE~1\WebRebates0.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
O4 - HKLM\..\RunServices: [WinServices] C:\WINDOWS\System32\WinServices.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update] wserv32.exe
O4 - HKCU\..\Run: [Apmp] C:\Documents and Settings\David Crisp\Application Data\ssap.exe
O4 - Global Startup: Search.vbs

O8 - Extra context menu item: Web Rebates - file://C:\PROGRA~1\WEB_RE~1\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...11a0351cafa03db
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.5.cab
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://securegameloader.com/cont/sc.cab
O16 - DPF: {7589EEE6-E336-11D4-8A7E-EE1D971D9B47} (AcontiX Control) - http://secure.aconti.net/acontix/goodthinxx.cab
O16 - DPF: {8E65B894-C2E9-11D5-BCD3-00E018987519} - http://195.57.118.137/19/cabs/LIVE_CAMgb.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - ttp://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} (NSLiteUpdateCtrl Class) - http://217.145.76.16/nslite/nslite.cab
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} - http://econnect.libereco.net/econnect.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/minidialler/mddl/GB/910000_213206_.exe
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin_GB.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CC} - http://direct.data-line.us/gbn391.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn283.exe


6. Search for these files and delete them if found:
C:\WINDOWS\System32\mfplay.dll <-- this file
C:\WINDOWS\System32\WinServices.exe <-- this file
C:\WINDOWS\svchost.exe <-- this file
C:\WINDOWS\System32\wuam.exe <-- this file
C:\WINDOWS\System32\wserv32.exe <-- this file
C:\WINDOWS\System32\bridge.dll <-- this file
C:\WINDOWS\alchem.exe <-- this file
C:\NTFIRE~1.EXE <-- this file
C:\CONNEC~1.EXE <-- this file
C:\windows\system32\winduy32.exe <-- this file
C:\Documents and Settings\David Crisp\Application Data\ssap.exe <-- this file
Search.vbs <-- this file

Delete these folders:
EliteBar in C:\WINDOWS\
P2P Networking in C:\WINDOWS\System32\
WINDUP~1 in C:\Program files
WEB_RE~1 in C:\Program files

7. Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.

8. Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin


9. REBOOT normally.

10. Perform a full scan here: Trendmicro, tick AutoClean and let him remove anything he finds.

Perform another full scan here: Panda Scan

11. Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 29 September 2004 - 03:04 PM

CrispyDave, after this the CoolWebSearch infection will blow up again. Don't worry :thumbsup: .
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 CrispyDave

CrispyDave
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 05 October 2004 - 10:21 AM

Hello Cyro,

I've done all you've asked, and I can happily report that i am no longer bothered by those nasty re-directers anymore. BUT!!!!

First I was left with a crazy weird screen resolutiuon type thing, which I seem to have fixed by putting the graphics card cd in computer, phew.

But also unable to acsess hardly any programmes via Desktop Shortcuts or when i search for them? Examples inclue my Outlook (nightmare no email), Photoshop Album (nightmare no pics).

This is the Error Message when trying to acsses Outlook for Example:

Windows cannot find 'C:\Program Files\Outlook Express\msimn.exe'

I can't even access the Ad Aware Se, and i used it just before??

I can't do the old Right Click Properties thingy anymore either?

Another thing i found an old digi pic to see if i could get Photoshop up and running, and the screen went all funny wjen i tried to get back in to Photo shop album. Saying something about screen resouloution must be 800 x 600, so i clik ok on the error message and then screen goes back to normal?

I realise this is a bit garbled and dis-jointed, so feel free to ask me any question you like.

I was going to do a "System Restore", but it won't let me do that either!!!

Cheers

CrispyDave

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 05 October 2004 - 12:21 PM

Hi CrispyDave

Can you post a fresh HJT log please.

I'm not sure what damaged your computer, the viruses or the antivirus, or both, or something else. :thumbsup:

Can you open System Restore ? Is there any restore point in System Restore ? Is System Restore unable to restore your system ?
Are you trying to restore the system from an administrator account ?

Follow these instructions to restore your system from the command prompt:
How to start the System Restore tool at a command prompt in Windows XP

I can maybe understand what happened with Outlook and the email messages but not why the pictures are gone.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 CrispyDave

CrispyDave
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 05 October 2004 - 01:04 PM

The Hijack thing doesn't work either when I double click on it!

I've got the Pics in my "My Pictures", but can't access the program "Photoshop Album"??

I can't open System Restore, i get:

'C:\WINDOWS\system32\Restore\rstrui.exe'

I know i'm set up as Administrator if that helps?

I don't really understand what you mean with the Command Prompt and System restore??

Please advise?

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 05 October 2004 - 01:13 PM

Please rename hijackthis.EXE to hijackthis.COM

Tell me if you can open HijackThis.

Edited by cryo, 05 October 2004 - 01:13 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 CrispyDave

CrispyDave
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 05 October 2004 - 01:21 PM

Good skills on the changing it too .com!!

Here we go:

Logfile of HijackThis v1.98.2
Scan saved at 19:20:02, on 05/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Documents and Settings\David Crisp\Desktop\HijackThis.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
R3 - Default URLSearchHook is missing
O3 - Toolbar: Games toolbar - {02ffc86e-283e-4faa-95d6-addca024f30a} - C:\Program Files\Games\tbGame.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Games toolbar] rundll32.exe "C:\PROGRA~1\Games\tbGame.dll" DllShowTB
O4 - HKLM\..\Run: [Sys29] C:\WINDOWS\system32\winduy32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRA~1\MSNMES~1\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Apmp] C:\Documents and Settings\David Crisp\Application Data\gi?s?x.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Omg1to2.exe.lnk = ?
O4 - Global Startup: OpenMG Jukebox Startup.lnk = C:\Program Files\Sony\OpenMG Jukebox\Omgtray.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DV Series\Console\Watch.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://instantsupport.europe.hp.com/awebui...SWebManager.CAB
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1096809073390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btopenworld.com/templates/btwebcontrol.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...363/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/...ebio5_0_2_7.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC246F9E-F822-4A89-9130-3C5D2810DEA9}: NameServer = 194.74.65.85 194.72.9.55
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 05 October 2004 - 02:19 PM

A. Click Start, Run and type Command

A DOS window will open.

Type the following and then press Enter after typing each one:

cd\

Press the Enter key

cd \windows (note there is a space between cd and \windows)

Press the Enter key

Type copy regedit.exe regedit.com

and then press Enter key

Type start regedit.com

Navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command

Double-click the (Default) value in the right pane.
Delete the current value data, and then type: "%1" %* [with quotes]
(ie., quote-percent-one-quote-space-percent-asterisk.)

B. Run this registry script, which forces Windows to show so called "superhidden" files:

Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")

Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

This is only for XP or 2000 systems

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


C.
1. Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Sys29] C:\WINDOWS\system32\winduy32.exe
O4 - HKCU\..\Run: [Apmp] C:\Documents and Settings\David Crisp\Application Data\gi?s?x.exe

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab


Search for these files and delete them if found:

C:\WINDOWS\system32\winduy32.exe <-- this file
C:\Documents and Settings\David Crisp\Application Data\gi?s?x.exe <-- this file
C:\WINDOWS\Downloaded Program Files\SbCIe028.dll <-- this file

2. Reboot and post a new log please.

Tell me if the problems are gone.

Edited by cryo, 05 October 2004 - 02:20 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 CrispyDave

CrispyDave
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 05 October 2004 - 03:13 PM

Hiya,

When i've typed command in the run bit, it brings up the dos screen, but an error messgae flashes up saying:

C:\WINDOWS\System 32\Command.com
C:\WINDOWS\SYTEM£"|AUTOEXEC.NT The system file is not suitable for running MS-DOS and Microsoft Windows aplications
Choose 'Close' to terminate the application

It won't let me type anything in the DOS screen?

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:54 PM

Posted 05 October 2004 - 03:22 PM

Please go to the C:\WINDOWS\repair\ folder and copy AUTOEXEC.NT file to the C:\WINDOWS\system32\ folder.

I wrote again the instructions because I have inserted another script:

A. Click Start, Run and type Command

A DOS window will open.

Type the following and then press Enter after typing each one:

cd\

Press the Enter key

cd \windows (note there is a space between cd and \windows)

Press the Enter key

Type copy regedit.exe regedit.com

and then press Enter key

Type start regedit.com

Navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command

Double-click the (Default) value in the right pane.
Delete the current value data, and then type: "%1" %* [with quotes]
(ie., quote-percent-one-quote-space-percent-asterisk.)

B.
1. Run this registry script, which forces Windows to show so called "superhidden" files:

Copy the contents of the Quote box to Notepad, and save in a location of your choice as Unhide.reg (make sure to save as type: "All Files")

Doubleclick Unhide.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

This is only for XP or 2000 systems

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


2. Run this registry script:

Copy the contents of the Quote box to Notepad, and save in a location of your choice as fix.reg (make sure to save as type: "All Files")

Doubleclick fix.reg, and answer 'yes' when prompted to add its contents to the Registry, then restart your computer.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"RestrictRun"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"DisallowRun"=-


C.
1. Run HijackThis!, press "Scan" and tick the boxes next to all these, close all other windows and browsers, then press "Fix Checked" button.

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Sys29] C:\WINDOWS\system32\winduy32.exe
O4 - HKCU\..\Run: [Apmp] C:\Documents and Settings\David Crisp\Application Data\gi?s?x.exe

O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

O16 - DPF: {469843DD-EBB3-4661-B0A6-E6FE590240C9} - http://olympustele.com/connect/dialer.cab


Search for these files and delete them if found:

C:\WINDOWS\system32\winduy32.exe <-- this file
C:\Documents and Settings\David Crisp\Application Data\gi?s?x.exe <-- this file
C:\WINDOWS\Downloaded Program Files\SbCIe028.dll <-- this file

2. Reboot and post a new log please.

Tell me if the problems are gone.

Edited by cryo, 05 October 2004 - 03:23 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 CrispyDave

CrispyDave
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:54 PM

Posted 05 October 2004 - 03:52 PM

Hiya!

Got as far as doing the first Re-start, now when i go to save the second registry bit in notepad, notepad freezes, not letting me save-as????

One thing i've just noticed though is that icons that wern't working, now are (such as Windows Messenger, Outlook, Calculator, Right Click Properties etc..)

Do i need to carry on with the rest of the registry stuff?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users