Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Searchweb2 - Please help analyse log.


  • This topic is locked This topic is locked
2 replies to this topic

#1 EnlancE

EnlancE

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 22 October 2004 - 11:50 AM

Ive run Ad-Aware and Spybot. But cant find the problem. Please help me remove this shait!

Here is the HijackThis log:

Logfile of HijackThis v1.98.2
Scan saved at 18:40:52, on 22.10.2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\Linksts.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Winamp\winampa.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Programfiler\AceGain\LiveUpdate\LiveUpdate.exe
C:\Programfiler\Messenger\Msn +\MsgPlus.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\AceGain\LiveUpdate\aceagent.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe
C:\Programfiler\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mdqudcfdinpblt.us/v0yOAsxCfCG3gDcCW...E3rpChWpO/A.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.rmoqkognxmhan.uk/v0yOAsxCfCEckB...f/XPdzLpyU.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2FD07B43-78DE-3E3F-E62A-9BEAF9CB4BAE} - C:\DOCUME~1\Daniel\PROGRA~1\CAKESI~1\Onlinebone.exe
O2 - BHO: (no name) - {74138EE5-E500-3A67-B013-800C3D1ED362} - C:\DOCUME~1\Daniel\PROGRA~1\CAKESI~1\Onlinebone.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: GameBar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\Programfiler\GameRival\GameBar\gamebar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISDN Monitor] Linksts.exe W 1024
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programfiler\Fellesfiler\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Programfiler\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Programfiler\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [msnappau] "C:\Programfiler\MSN Apps\Updater\01.02.0002.1001\no\msnappau.exe"
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Programfiler\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger\Msn +\MsgPlus.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Five Dog Poke Intra] C:\Documents and Settings\All Users\Programdata\MailDoesFiveDog\Meta internet.exe
O4 - HKLM\..\Run: [love regs trust cool] C:\Documents and Settings\All Users\Programdata\Tick slow love regs\cakeaim.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Utopia Angel] C:\Documents and Settings\pHilip\Mine dokumenter\Utopia\Angel\Angel.exe
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger\Msn +\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [popace] C:\DOCUME~1\pHilip\PROGRA~1\axischin\DvdTeam.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programfiler\Fellesfiler\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/bestfriends/retro64_loader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...ler/install.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4964F76C-9B89-4D3E-94AB-4D4CF74E49A9}: NameServer = 213.142.64.170 213.142.64.171

BC AdBot (Login to Remove)

 


m

#2 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:05:52 PM

Posted 22 October 2004 - 02:53 PM

EnlancE, welcome.

Please print this out and follow ALL these directions carefully.

The system got infected with lop.com when you installed Messenger Plus!

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Go to Add/Remove Programs and uninstall Messenger Plus and Wild Tangent

Delete if still present:

C:\Document and Settings\Daniel\PROGRA~1\CAKESI~1
C:\Programfiler\WildTangent
C:\Programfiler\Messenger\Msn +
C:\Documents and Settings\All Users\Programdata\MailDoesFiveDog
C:\Documents and Settings\All Users\Programdata\Tick slow love regs
C:\DOCUME~1\pHilip\PROGRA~1\axischin
<== folders

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mdqudcfdinpblt.us/v0yOAsxCfCG3gDcCW...E3rpChWpO/A.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://web.rmoqkognxmhan.uk/v0yOAsxCfCEckB...f/XPdzLpyU.html
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {2FD07B43-78DE-3E3F-E62A-9BEAF9CB4BAE} - C:\DOCUME~1\Daniel\PROGRA~1\CAKESI~1\Onlinebone.exe
O2 - BHO: (no name) - {74138EE5-E500-3A67-B013-800C3D1ED362} - C:\DOCUME~1\Daniel\PROGRA~1\CAKESI~1\Onlinebone.exe
O3 - Toolbar: GameBar - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\Programfiler\GameRival\GameBar\gamebar.dll (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Programfiler\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger\Msn +\MsgPlus.exe"
O4 - HKLM\..\Run: [Five Dog Poke Intra] C:\Documents and Settings\All Users\Programdata\MailDoesFiveDog\Meta internet.exe
O4 - HKLM\..\Run: [love regs trust cool] C:\Documents and Settings\All Users\Programdata\Tick slow love regs\cakeaim.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programfiler\Messenger\Msn +\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [popace] C:\DOCUME~1\pHilip\PROGRA~1\axischin\DvdTeam.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...ler/install.cab


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\Documents and Settings\{user}\Local Settings\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

{user} is the Daniel User Account ID.
Removal of infections and prevention protection should be installed on ALL User Account IDS.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html

#3 EnlancE

EnlancE
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:52 PM

Posted 22 October 2004 - 05:45 PM

Thanx alot!

Great thing you got going here! Helping everyone that asks! Fantastic.

Ill see to it straight away.

Thank you very much for your help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users