Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack this log: please help


  • Please log in to reply
3 replies to this topic

#1 dongottiex

dongottiex

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 18 November 2004 - 09:50 PM

Logfile of HijackThis v1.98.2
Scan saved at 9:27:22 PM, on 11/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\systime.exe
C:\WINDOWS\System32\bgcpsp79.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\systime.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN\MSNCoreFiles\MSN6.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Gottie\Application Data\Mozilla\Profiles\default\2sd798vr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gottie\Application Data\Mozilla\Profiles\default\2sd798vr.slt\prefs.js)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\B1F6GW~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [3SCePo] C:\documents and settings\gottie\local settings\temp\3SCePo.exe
O4 - HKLM\..\Run: [qyxcwAf] C:\documents and settings\gottie\local settings\temp\qyxcwAf.exe
O4 - HKLM\..\Run: [957f1d17571a] C:\WINDOWS\System32\bgcpsp79.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Gottie\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Cnvwycj] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file) (HKCU)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {0C20F2D1-E472-10C3-65CC-298D7977202F} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://69.31.85.151/G7/chm9.chm::/file1.exe
O16 - DPF: {10DEB9F3-6069-0341-4956-71D8252100B3} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006
O16 - DPF: {164564CE-3B28-7C90-E89C-66786C8845BD} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {30F49EF3-9175-1B20-68C0-72652413AE17} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail-lc-8.fordham.edu/iNotes6.cab
O16 - DPF: {422CD8F7-8AB0-3773-0FE6-440762FAD063} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {6E1396D2-5FEF-7D8B-D9D6-2DDC2AD274EC} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {743D5743-6031-4B26-6B29-391377D0A9D5} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {7537465D-3BD5-3542-F40D-47456D37A684} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: 8yg99tcy4yb.dll


I know that i have coolwebseach and also cws swapx harming my computer but before i try and remove things myself i was wondering if anyone in this forum could advise me on where to begin.
thank you

-dongottiex-

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:27 AM

Posted 18 November 2004 - 11:08 PM

Download killbox here:

KillBox


Unzip the folder to your desktop.

Start Killbox.exe

When it is open, enter c:\windows\system32\8yg99tcy4yb.dll into the field labeled "Full path of file to delete".

Select the Delete on reboot option.

Then press the button that looks like a red circle with a white X in it.

Your computer will reboot and check to see if the file is gone.

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\B1F6GW~1.DLL
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - HKLM\..\Run: [3SCePo] C:\documents and settings\gottie\local settings\temp\3SCePo.exe
O4 - HKLM\..\Run: [qyxcwAf] C:\documents and settings\gottie\local settings\temp\qyxcwAf.exe
O4 - HKLM\..\Run: [957f1d17571a] C:\WINDOWS\System32\bgcpsp79.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Gottie\Application Data\ttuh.exe
O4 - HKCU\..\Run: [Cnvwycj] C:\WINDOWS\System32\??oolsv.exe
O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\System32\systime.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file)
O9 - Extra button: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {8BD39FDB-70EB-4AF7-BBCD-F727C976EAAC} - (no file) (HKCU)
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v2cab.cab
O16 - DPF: {0C20F2D1-E472-10C3-65CC-298D7977202F} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://69.31.85.151/G7/chm9.chm::/file1.exe
O16 - DPF: {10DEB9F3-6069-0341-4956-71D8252100B3} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006
O16 - DPF: {164564CE-3B28-7C90-E89C-66786C8845BD} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {30F49EF3-9175-1B20-68C0-72652413AE17} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {422CD8F7-8AB0-3773-0FE6-440762FAD063} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {6E1396D2-5FEF-7D8B-D9D6-2DDC2AD274EC} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {743D5743-6031-4B26-6B29-391377D0A9D5} - http://213.159.117.150/1/rdgUS10.exe
O16 - DPF: {7537465D-3BD5-3542-F40D-47456D37A684} - http://69.50.188.54/1/gdnUS208.exe
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: 8yg99tcy4yb.dll
Reboot your computer into Safe Mode

Then delete these files or directories (Do not be concerned if they do not exist)


C:\WINDOWS\System32\systime.exe
C:\documents and settings\gottie\local settings\temp\3SCePo.exe
C:\documents and settings\gottie\local settings\temp\qyxcwAf.exe
C:\WINDOWS\System32\bgcpsp79.exe
C:\Documents and Settings\Gottie\Application Data\ttuh.exe
c:\windows\system32\8yg99tcy4yb.dll

Reboot your computer to go back to normal mode and post a new log.

#3 dongottiex

dongottiex
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:27 AM

Posted 22 November 2004 - 06:14 PM

I did everything you told me to do and then scanned again. I don't know if the CWS is gone but it seems that some harmful files are still on my computer. They even installed some shortcut on my desktop titled "SEXXX". Do you know how to get rid of that also. Thanks for all your help.
Here is my new log:

Logfile of HijackThis v1.98.2
Scan saved at 6:08:42 PM, on 11/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\pctspk.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINDOWS\System32\ukbl62k32p2mthd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Gottie\Application Data\Mozilla\Profiles\default\2sd798vr.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gottie\Application Data\Mozilla\Profiles\default\2sd798vr.slt\prefs.js)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\ukbl62k32p2mthd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: D-Link AirPlus G Configuration Utility.lnk = ?
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Global Startup: winlogin.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail-lc-8.fordham.edu/iNotes6.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...72/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,15/mcgdmgr.cab
O20 - AppInit_DLLs: 9u9x8bb7rgr5hvdll.dll.dll

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:27 AM

Posted 23 November 2004 - 01:27 AM

Print out these instructions as I do not want you starting IE until they are done


Note, please read this carefully, as the steps do repeat a few times, but the last step does change a bit

Download killbox here:

KillBox


Unzip the folder to your desktop.


Reboot into safe mode .

Start Killbox.exe

Select the Delete on reboot option.


In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\W8C6S4~1.DLL
Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter C:\WINDOWS\System32\ukbl62k32p2mthd.exe
Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the NO button.


Next In the field labeled "Full path of file to delete" enter c:\windows\system32\9u9x8bb7rgr5hvdll.dll.dll

Then press the button that looks like a red circle with a white X in it.

When it asks if you would like to Reboot now, press the YES button.


Your computer will now reboot and check to see if the file is gone.


When it reboots, fix these entries in hijackthis:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\ukbl62k32p2mthd.exe
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: 9u9x8bb7rgr5hvdll.dll.dll

Reboot and post a new log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users