Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem! specific911


  • Please log in to reply
25 replies to this topic

#1 pustahw

pustahw

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 04 November 2004 - 04:12 AM

I have just recently started having a problem with my PC. Everytime I open IE I am taken to specific911.com. Also everything I try to use such as running other programs, opening folders etc., all launches IE and goes to specific911.com. When I start up no programs start up and show up in my system tray...instead an IE window pops up going to specific911 each time a program tries to start up. The only way for me to access folders is to right-click and "explore". I've tried running ad-aware and spysweeper but those both result in the same thing. An IE page going to specific911.com. I have downloaded HJT in its own folder in the hopes of being able to post the log however, it's not working either. I restart in Safe Mode, but when I try to open HJT it just does the same thing, opening IE. Please help as this is becoming a big headache. Thanks.
JR

BC AdBot (Login to Remove)

 


m

#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:21 AM

Posted 04 November 2004 - 06:43 AM

Hi

Download the attached INF file and save it on your desktop.

Right-click the UnHookExec.inf file and click install.

Download the latest version of HijackThis!: Download here HJT 1.98.2. Save it on your Desktop. You will need now to unzip hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups. You may need to use these backups.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.

Run HijackThis.exe. Press the Scan button, then Save Log.
Save the logfile (press Save) and Notepad will open.

In Notepad click
Edit menu --> Select All
then
Edit menu --> Copy

Right click in the message area and click on the paste option to paste the log into the post.

Attached Files


Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 pustahw

pustahw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 04 November 2004 - 09:43 PM

I downloaded and installed the INF file that you provided. I then followed the next steps you provided and HJT is in its own folder. But I cannot get HJT to run either. When I double-click on it, IE launches to specific911.com. If I turn off my modem, IE still launches, it just says it cannot find the website.

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:21 AM

Posted 05 November 2004 - 04:01 AM

Try these:

Go to the next step if it's not working:

rename hijackthis.exe --> hijackthis.com and run it

rename hijackthis.com --> hijackthis.scr and run it

rename hijackthis.scr --> pustahw.scr and run it


What is your Operating System ?

If you are running Windows XP or 2000, go into My Computer and right click on the C: drive and tell me if the filesystem is NTFS or FAT32 ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 pustahw

pustahw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 05 November 2004 - 07:54 AM

Hopefully this is a successful attempt finally! I had to download a direct link of HJT and rename it hijackthis.scr for it to finally work. I installed HJT and ran a scan. Here are the results.....I'm hoping this is correct because the first time I clicked Save Log it saved as .log and I couldn't open it. However, my Microsoft Office works so I figured I'd try a word document. I scanned again and saved as .doc and this is what I got so I copied and pasted.

Also the filesystem is NTFS.

Thank you. Hopefully this will gets things going now.

JR



Logfile of HijackThis v1.98.2
Scan saved at 4:45:09 AM, on 11/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HIJACK~2.SCR

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.net/aff/108/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.net/aff/108/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.net/aff/108/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.246.26.137 searchmyrequest.com
O1 - Hosts: 64.246.26.137 sina.com.cn
O1 - Hosts: 64.246.26.137 163.com
O1 - Hosts: 64.246.26.137 sohu.com
O1 - Hosts: 64.246.26.137 line-plus.com
O1 - Hosts: 64.246.26.137 list2004.com
O1 - Hosts: 64.246.26.137 worldmpeg.com
O1 - Hosts: 64.246.26.137 install.xxxtoolbar.com
O1 - Hosts: 64.246.26.137 ewebsearch.net
O1 - Hosts: 64.246.26.137 casino.com
O1 - Hosts: 64.246.26.137 hotbot.com
O1 - Hosts: 64.246.26.137 lycos.com
O1 - Hosts: 64.246.26.137 excite.com
O1 - Hosts: 64.246.26.137 dmoz.org
O1 - Hosts: 64.246.26.137 wisenut.com
O1 - Hosts: 64.246.26.137 alltheweb.com
O1 - Hosts: 64.246.26.137 teoma.com
O1 - Hosts: 64.246.26.137 search.com
O1 - Hosts: 64.246.26.137 msn.com
O1 - Hosts: 64.246.26.137 search.msn.com
O1 - Hosts: 64.246.26.137 altavista.com
O1 - Hosts: 64.246.26.137 google.com
O1 - Hosts: 64.246.26.137 yahoo.com
O1 - Hosts: 64.246.26.137 www.search-all-fast.com
O1 - Hosts: 64.246.26.137 thehun.com
O1 - Hosts: 64.246.26.137 geosites.com
O1 - Hosts: 64.246.26.137 i-lookup.com
O1 - Hosts: 64.246.26.137 sexocean.com
O1 - Hosts: 64.246.26.137 full-search.net
O1 - Hosts: 64.246.26.137 search-all-fast.com
O1 - Hosts: 64.246.26.137 www.full-search.net
O1 - Hosts: 64.246.26.137 auto.search.msn.com
O1 - Hosts: 64.246.26.137 in.webcounter.cc
O1 - Hosts: 64.246.26.137 sitefinder.verisign.com
O1 - Hosts: 64.246.26.137 www.umaxsearch.com
O1 - Hosts: 64.246.26.137 umaxsearch.com
O1 - Hosts: 64.246.26.137 www.google.com
O1 - Hosts: 64.246.26.137 www.coolwebsearch.com
O1 - Hosts: 64.246.26.137 coolwebsearch.com
O1 - Hosts: 64.246.26.137 www.searchmeup.com
O1 - Hosts: 64.246.26.137 searchmeup.com
O1 - Hosts: 64.246.26.137 www.pizdato.biz
O1 - Hosts: 64.246.26.137 search-motor.com
O1 - Hosts: 64.246.26.137 pizdato.biz
O1 - Hosts: 64.246.26.137 www.search-motor.com
O1 - Hosts: 64.246.26.137 38.117.144.162
O1 - Hosts: 64.246.26.137 209.66.114.129
O1 - Hosts: 64.246.26.137 www.yahoo.com
O1 - Hosts: 64.246.26.137 search.yahoo.com
O1 - Hosts: 64.246.26.137 xml.umaxfeed.com.com
O1 - Hosts: 64.246.26.137 searchmiracle.com
O1 - Hosts: 64.246.26.137 x.full-tgp.net
O1 - Hosts: 64.246.26.137 www.searchmiracle.com
O1 - Hosts: 64.246.26.137 www.search-and-more.com
O1 - Hosts: 64.246.26.137 x.full-tgp.net
O1 - Hosts: 64.246.26.137 home.peoplepc.com
O1 - Hosts: 64.246.26.137 peoplepc.com
O1 - Hosts: 64.246.26.137 all-find.net
O1 - Hosts: 64.246.26.137 www.start-page.info
O1 - Hosts: 64.246.26.137 start-page.info
O1 - Hosts: 64.246.26.137 www.young-devils.com
O1 - Hosts: 64.246.26.137 young-devils.com
O1 - Hosts: 64.246.26.137 toolbarpartner.net
O1 - Hosts: 64.246.26.137 www.toolbarpartner.net
O1 - Hosts: 64.246.26.137 www.teocash.com
O1 - Hosts: 64.246.26.137 cgi.gammae.com
O1 - Hosts: 64.246.26.137 teens-dream.com
O1 - Hosts: 64.246.26.137 the.sextracker.com
O1 - Hosts: 64.246.26.137 new-iframe.biz
O1 - Hosts: 64.246.26.137 troyporn.com
O1 - Hosts: 64.246.26.137 213.159.117.133
O1 - Hosts: 64.246.26.137 213.159.117.150
O1 - Hosts: 64.246.26.137 63.219.178.91
O1 - Hosts: 64.246.26.137 66.180.174.16
O1 - Hosts: 64.246.26.137 find-on-the-net.com
O1 - Hosts: 64.246.26.137 first-time.biz
O1 - Hosts: 64.246.26.137 toolbarcash.com
O1 - Hosts: 64.246.26.137 www.slotch.com
O1 - Hosts: 64.246.26.137 www.vesbiz.biz
O2 - BHO: crypynet - {942317CE-D52A-9056-F75E-B3810FCFA61E} - C:\WINDOWS\system32\CRYPYNET.dll
O2 - BHO: SDWin32 Class - {CA0510FB-D97A-42B9-8255-BC2300D775A4} - C:\WINDOWS\system32\sxcie.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
O4 - HKLM\..\Run: [netgv32.exe] C:\WINDOWS\netgv32.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\Run: [ozzqorw] C:\WINDOWS\Skej.exe
O4 - HKLM\..\Run: [qgznyc] C:\WINDOWS\system32\qgznyc.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [host] C:\WINDOWS\..vbs
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Uwp] C:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [Jwx4RRKFi] krfssvc.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Rnte] C:\Documents and Settings\Gateway User\Application Data\eooe.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Corel Network monitor worker - {01223C16-3392-4540-87A0-93627272D80F} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {01223C16-3392-4540-87A0-93627272D80F} - (no file)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Corel Network monitor worker - {01223C16-3392-4540-87A0-93627272D80F} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {01223C16-3392-4540-87A0-93627272D80F} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O13 - DefaultPrefix: http://specific911.com/se.cgi?query=
O13 - WWW Prefix: http://specific911.net/se.cgi?query=
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.celebritaspoglie.net/sex.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...29afb63ed1a70c5
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {5D7334F5-CF58-4F22-8502-6CC0ACB2FEFF} - http://www.dialer-shop.com/protected/code/axrbpt.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://acces-direct.net/20222/adh1_sexarea.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:21 AM

Posted 05 November 2004 - 03:53 PM

Hi pustahw

Please read carefully the instructions below. If you don't understand something please tell me. Proceed only when everything is clear.


It is a good ideea to print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.net/aff/108/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://specific911.net/aff/108/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://specific911.com/_start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://specific911.net/aff/108/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://specific911.net/aff/108/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.com/_start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://specific911.net/aff/108/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://specific911.com/_start/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = mk:@MSITStore:C:\spe\start.chm::/start.html#
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

O1 - Hosts: 64.246.26.137 searchmyrequest.com
O1 - Hosts: 64.246.26.137 sina.com.cn
O1 - Hosts: 64.246.26.137 163.com
O1 - Hosts: 64.246.26.137 sohu.com
O1 - Hosts: 64.246.26.137 line-plus.com
O1 - Hosts: 64.246.26.137 list2004.com
O1 - Hosts: 64.246.26.137 worldmpeg.com
O1 - Hosts: 64.246.26.137 install.xxxtoolbar.com
O1 - Hosts: 64.246.26.137 ewebsearch.net
O1 - Hosts: 64.246.26.137 casino.com
O1 - Hosts: 64.246.26.137 hotbot.com
O1 - Hosts: 64.246.26.137 lycos.com
O1 - Hosts: 64.246.26.137 excite.com
O1 - Hosts: 64.246.26.137 dmoz.org
O1 - Hosts: 64.246.26.137 wisenut.com
O1 - Hosts: 64.246.26.137 alltheweb.com
O1 - Hosts: 64.246.26.137 teoma.com
O1 - Hosts: 64.246.26.137 search.com
O1 - Hosts: 64.246.26.137 msn.com
O1 - Hosts: 64.246.26.137 search.msn.com
O1 - Hosts: 64.246.26.137 altavista.com
O1 - Hosts: 64.246.26.137 google.com
O1 - Hosts: 64.246.26.137 yahoo.com
O1 - Hosts: 64.246.26.137 www.search-all-fast.com
O1 - Hosts: 64.246.26.137 thehun.com
O1 - Hosts: 64.246.26.137 geosites.com
O1 - Hosts: 64.246.26.137 i-lookup.com
O1 - Hosts: 64.246.26.137 sexocean.com
O1 - Hosts: 64.246.26.137 full-search.net
O1 - Hosts: 64.246.26.137 search-all-fast.com
O1 - Hosts: 64.246.26.137 www.full-search.net
O1 - Hosts: 64.246.26.137 auto.search.msn.com
O1 - Hosts: 64.246.26.137 in.webcounter.cc
O1 - Hosts: 64.246.26.137 sitefinder.verisign.com
O1 - Hosts: 64.246.26.137 www.umaxsearch.com
O1 - Hosts: 64.246.26.137 umaxsearch.com
O1 - Hosts: 64.246.26.137 www.google.com
O1 - Hosts: 64.246.26.137 www.coolwebsearch.com
O1 - Hosts: 64.246.26.137 coolwebsearch.com
O1 - Hosts: 64.246.26.137 www.searchmeup.com
O1 - Hosts: 64.246.26.137 searchmeup.com
O1 - Hosts: 64.246.26.137 www.pizdato.biz
O1 - Hosts: 64.246.26.137 search-motor.com
O1 - Hosts: 64.246.26.137 pizdato.biz
O1 - Hosts: 64.246.26.137 www.search-motor.com
O1 - Hosts: 64.246.26.137 38.117.144.162
O1 - Hosts: 64.246.26.137 209.66.114.129
O1 - Hosts: 64.246.26.137 www.yahoo.com
O1 - Hosts: 64.246.26.137 search.yahoo.com
O1 - Hosts: 64.246.26.137 xml.umaxfeed.com.com
O1 - Hosts: 64.246.26.137 searchmiracle.com
O1 - Hosts: 64.246.26.137 x.full-tgp.net
O1 - Hosts: 64.246.26.137 www.searchmiracle.com
O1 - Hosts: 64.246.26.137 www.search-and-more.com
O1 - Hosts: 64.246.26.137 x.full-tgp.net
O1 - Hosts: 64.246.26.137 home.peoplepc.com
O1 - Hosts: 64.246.26.137 peoplepc.com
O1 - Hosts: 64.246.26.137 all-find.net
O1 - Hosts: 64.246.26.137 www.start-page.info
O1 - Hosts: 64.246.26.137 start-page.info
O1 - Hosts: 64.246.26.137 www.young-devils.com
O1 - Hosts: 64.246.26.137 young-devils.com
O1 - Hosts: 64.246.26.137 toolbarpartner.net
O1 - Hosts: 64.246.26.137 www.toolbarpartner.net
O1 - Hosts: 64.246.26.137 www.teocash.com
O1 - Hosts: 64.246.26.137 cgi.gammae.com
O1 - Hosts: 64.246.26.137 teens-dream.com
O1 - Hosts: 64.246.26.137 the.sextracker.com
O1 - Hosts: 64.246.26.137 new-iframe.biz
O1 - Hosts: 64.246.26.137 troyporn.com
O1 - Hosts: 64.246.26.137 213.159.117.133
O1 - Hosts: 64.246.26.137 213.159.117.150
O1 - Hosts: 64.246.26.137 63.219.178.91
O1 - Hosts: 64.246.26.137 66.180.174.16
O1 - Hosts: 64.246.26.137 find-on-the-net.com
O1 - Hosts: 64.246.26.137 first-time.biz
O1 - Hosts: 64.246.26.137 toolbarcash.com
O1 - Hosts: 64.246.26.137 www.slotch.com
O1 - Hosts: 64.246.26.137 www.vesbiz.biz
O2 - BHO: crypynet - {942317CE-D52A-9056-F75E-B3810FCFA61E} - C:\WINDOWS\system32\CRYPYNET.dll
O2 - BHO: SDWin32 Class - {CA0510FB-D97A-42B9-8255-BC2300D775A4} - C:\WINDOWS\system32\sxcie.dll

O4 - HKLM\..\Run: [WebSavingsFromEbates0] "C:\Program Files\WebSavings_from_Ebates\WebSavingsFromEbates0.exe"
O4 - HKLM\..\Run: [netgv32.exe] C:\WINDOWS\netgv32.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINDOWS\Meruoq.exe
O4 - HKLM\..\Run: [ozzqorw] C:\WINDOWS\Skej.exe
O4 - HKLM\..\Run: [qgznyc] C:\WINDOWS\system32\qgznyc.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [SystemBoot] mshta file:///C:/WINDOWS/winsys.hta
O4 - HKLM\..\Run: [RunOnce] C:\y.exe
O4 - HKLM\..\Run: [host] C:\WINDOWS\..vbs
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Uwp] C:\WINDOWS\system32\w?wexec.exe
O4 - HKCU\..\Run: [Jwx4RRKFi] krfssvc.exe
O4 - HKCU\..\Run: [Rnte] C:\Documents and Settings\Gateway User\Application Data\eooe.exe


These are restrictions. Leave them unchecked if these were set by you using a software like Spybot Search & Destroy, SpywareBlaster or another similar protection software, or if these were set by your system administrator.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present


O9 - Extra button: Corel Network monitor worker - {01223C16-3392-4540-87A0-93627272D80F} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {01223C16-3392-4540-87A0-93627272D80F} - (no file)

O13 - DefaultPrefix: http://specific911.com/se.cgi?query=
O13 - WWW Prefix: http://specific911.net/se.cgi?query=

O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com

O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.celebritaspoglie.net/sex.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...29afb63ed1a70c5
O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://acces-direct.net/20222/adh1_sexarea.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe


Close all other windows and browsers, and press the Fix Checked button.

REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

Search for these files and delete them if found:
C:\WINDOWS\system32\CRYPYNET.dll <-- this file
C:\WINDOWS\system32\sxcie.dll <-- this file
C:\WINDOWS\netgv32.exe <-- this file
C:\WINDOWS\Meruoq.exe <-- this file
C:\WINDOWS\Skej.exe <-- this file
C:\WINDOWS\system32\qgznyc.exe <-- this file
C:/WINDOWS/winsys.hta <-- this file
C:\y.exe <-- this file
C:\WINDOWS\about.htm <-- this file

Please read carefully these instructions. Deleting a legitimate Microsoft Windows file could damage your system or make it unstable.

C:\WINDOWS\System32\w?wexec.exe (wowexec.exe>) <-- Delete this file Please read first the explanations below

Important information about the above file !
This file is tricky. You will find two files with the same filename in the C:\WINDOWS\System32\ folder: wowexec.exe.

One is a valid, legitimate Windows file, and the other one is bad. If you can see only one file with this name the bad file is invisible. Leave it for the moment and delete the next file below this note.

If two files with this name: wowexec.exe are visible in the C:\WINDOWS\System32\ folder you must check first which one is the good file and wich one is the bad file. Right click on each of the two files and click Properties. A window will open. Read the file description in the "General" tab. The description of the legitimate Windows file is: Windows Win16 Application Launcher .
The bad file has no "Description" or the description is different.

When you have established which one is good and wich one is bad, delete only the bad file..

krfssvc.exe <-- this file
C:\Documents and Settings\Gateway User\Application Data\eooe.exe <-- this file

Delete these folders:
C:\Program Files\WebSavings_from_Ebates\ <-- this folder
C:\Program Files\Win Comm\ <-- this folder
C:\spe\ < this folder

REBOOT normally.

Run HijackThis! again and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 pustahw

pustahw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 05 November 2004 - 11:56 PM

Hey cryo

I tried to follow your directions perfectly so here's a new log. One side note -- I found only one file called wowexec.exe and it was the good one so I left it. Other than that everything else was fine.

JR

Logfile of HijackThis v1.98.2
Scan saved at 8:57:25 PM, on 11/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HIJACK~2.SCR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: crypynet - {942317CE-D52A-9056-F75E-B3810FCFA61E} - C:\WINDOWS\system32\CRYPYNET.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWE~1.SCR" /0
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {5D7334F5-CF58-4F22-8502-6CC0ACB2FEFF} - http://www.dialer-shop.com/protected/code/axrbpt.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://acces-direct.net/20222/adh1_sexarea.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:21 AM

Posted 06 November 2004 - 07:55 AM

Hi

Launch Notepad, and copy and paste the contents of the quote box below into a new text file.
If you cannot run notepad.exe:
Copy notepad.exe from the c:\windows folder to your desktop.
Rename notepad.exe --> notepad.scr

Save it as file name: unhide.reg . Save as file type: All files (*.*) and save it on your Desktop.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"ShowSuperHidden"=dword:00000001


REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O2 - BHO: crypynet - {942317CE-D52A-9056-F75E-B3810FCFA61E} - C:\WINDOWS\system32\CRYPYNET.dll

These are restrictions. Leave them unchecked if these were set by you using a software like Spybot Search & Destroy, SpywareBlaster or another similar protection software, or if these were set by your system administrator.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present


O16 - DPF: {86EEF11E-FF16-48CE-B1A2-474B663041A9} - http://acces-direct.net/20222/adh1_sexarea.exe
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\system32\CRYPYNET.dll <-- this file

Locate the UnHookExec.inf file, right click and select install.

Then, locate unhide.reg on your Desktop and (double) click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry ?".
Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

C:\WINDOWS\System32\w?wexec.exe (wowexec.exe) <-- Delete this file Please read first the explanations below

Important information about the above file !
This file is tricky. You will find two files with the same filename in the C:\WINDOWS\System32\ folder: wowexec.exe.

One is a valid, legitimate Windows file, and the other one is bad.

If two files with this name: wowexec.exe are visible in the C:\WINDOWS\System32\ folder you must check first which one is the good file and wich one is the bad file. Right click on each of the two files and click Properties. A window will open. Read the file description in the "General" tab. The description of the legitimate Windows file is: Windows Win16 Application Launcher .
The bad file has no "Description" or the description is different.

When you have established which one is good and wich one is bad, delete only the bad file.

REBOOT normally.

Perform a full scan here: Trendmicro, tick AutoClean and let him remove anything he finds.

REBOOT your machine and post a new HJT log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 pustahw

pustahw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 07 November 2004 - 08:19 AM

Here's me new log but once again some notes attached:

I saved notepad on the desktop as notepad.scr and then saved the quote as unhide.reg as you said. However I could not do the merge. When I double-clicked it as well as right-clicked "Merge", IE launched again. So that wasn't successful. Any ideas how to get that to work?

Also I could not delete the file: C:\WINDOWS\system32\CRYPYNET.dll --- it kept telling me that the file was in use and could not be deleted. (I was in Safe Mode). I've tried to get rid of this file multiple times to no avail.

I did the Trendmicro scan and that got rid of quite a few problems but I didn't know about the following. It said that it could not remove the infected part and a prompt asked if I wanted to remove the entire thing for these:

C:\WINDOWS\DocumentsandSettings\GatewayUser\LocalSettings\Temp\TH144F1.tmp\twaintec.cab'iA

C:\WINDOWS\DocumentsandSettings\GatewayUser\LocalSettings\Temp\TH144FB.tmp\polall1r.cab'iA

C:\WINDOWS\DocumentsandSettings\GatewayUser\LocalSettings\Temp\alchem.cab'iA

C:\WINDOWS\DocumentsandSettings\GatewayUser\LocalSettings\Temp\polmx.cab'iA

I didn't select yes cause I wasn't sure so just let me know if these are unimportant and could be completely deleted. Thanks.

JR


Logfile of HijackThis v1.98.2
Scan saved at 5:03:45 AM, on 11/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\HJT\HIJACK~2.SCR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: crypynet - {942317CE-D52A-9056-F75E-B3810FCFA61E} - C:\WINDOWS\system32\CRYPYNET.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWE~1.SCR" /0
O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinst.cab
O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:21 AM

Posted 07 November 2004 - 02:05 PM

Please go to the C:\WINDOWS\ folder.

Copy regedit.exe to your desktop.

Rename regedit.exe --> regedit.scr.

Run regedit.scr and navigate to and select the following key:
HKEY_CLASSES_ROOT\exefile\shell\open\command

Double-click the (Default) value in the right pane and copy the content. Post it here please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 pustahw

pustahw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 08 November 2004 - 04:18 AM

I double-clicked and got a pop-up box called Edit String and this was the content of the Value Data line:

"%1" %*

Hope this is correct.

JR

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:21 AM

Posted 08 November 2004 - 05:44 AM

The value is OK.

Run regedit.scr, navigate to and select the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Right click the Explorer key (left pane) and select Export. Export the content to your desktop. Save the file as Explorer.txt.

Open Explorer.txt , copy and paste here the content please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 pustahw

pustahw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 08 November 2004 - 09:21 PM

Here's the contents:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000



JR

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:05:21 AM

Posted 09 November 2004 - 04:00 AM

pustahw, you are getting help also @ techguy.org :thumbsup:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#15 pustahw

pustahw
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 09 November 2004 - 04:33 AM

When I first got this problem I was told to post in a couple different forums to see who could help. I've posted updates in that forum but I've been following only the steps in this one to fix my computer cause this one has provided the best help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users