Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dr.webservicehosts


  • Please log in to reply
1 reply to this topic

#1 drtjmich

drtjmich

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 20 March 2006 - 09:04 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:13:04 PM, on 3/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\mgabg.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\WINNT\SYSTEM32\3cshtdwn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SYSTEM32\3cmlink.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
G:\downloaded files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = about:blank
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ICQ Net] C:\WINNT\winlogon.exe -stealth
O4 - HKLM\..\Run: [JavaVM] C:\WINNT\java.exe
O4 - HKLM\..\Run: [Services] C:\WINNT\services.exe
O4 - HKLM\..\Run: [Enh Win Updt] C:\WINNT\enhupdt.exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: U.S. Robotics Internet Call Notification.lnk = C:\Program Files\U.S. Robotics\U.S. Robotics Internet Call Notification\CallWaiting.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm006
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} - http://curley.ciena.com:8100/jinitiator/oajinit.exe
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.15.44/ttinst.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://client.dbm.com/v51/ie/controls/CoreportSsoClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6494D19-9A74-4D20-BFD4-1790F6B4FE0E}: Domain = ciena.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ciena.com,bcpl.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ciena.com,bcpl.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ciena.com,bcpl.net
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:02:53 AM

Posted 26 March 2006 - 03:31 PM

Hello drtjmich and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention.

Please print out or copy this page to Notepad . Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.
  • Download DSRFIX©Atribune and save it to your Desktop.
    • Unzip and EXTRACT the files to your Desktop.
    • The program creates and names the new folder to house the files.
    • DO NOT RUN IT YET
  • Download Cleanup and save it to your Desktop.
    • On your Desktop, click on Cleanup40.exe icon.
    • Then, click RUN and place a checkmark beside "I Agree".
    • Then click NEXT followed by START and OK.
    • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    • Click OK.
    • DO NOT RUN IT YET[/b].
  • CLOSE INTERNET EXPLORER, if it is open.
  • Open the folder dsrfix.
    • Double click on the dsrfix.bat file( the one with the little gear in it ).
    • Once dsrfix has completed it will close on its own.
  • Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = about:blank
    R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINNT\enhtb.dll
    O2 - BHO: (no name) - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [ICQ Net] C:\WINNT\winlogon.exe -stealth
    O4 - HKLM\..\Run: [JavaVM] C:\WINNT\java.exe
    O4 - HKLM\..\Run: [Services] C:\WINNT\services.exe
    O4 - HKLM\..\Run: [Enh Win Updt] C:\WINNT\enhupdt.exe
    O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm006

    Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.
  • Delete these files/folders:C:\WINNT\enhtb.dll
    C:\WINNT\winlogon.exe
    C:\WINNT\java.exe
    C:\WINNT\services.exe
    C:\WINNT\enhupdt.exe
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\Pribi\ <--folder
  • Start Cleanup.
    • Click on the "Cleanup" button and let it run.
    • Once its done, close the program.
  • OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.
OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users