Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Infected Big Time !help!


  • This topic is locked This topic is locked
15 replies to this topic

#1 nisthana

nisthana

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 17 May 2006 - 02:36 AM

My PC has been infected terribly. I have no way to clean it other than to re-install OS. I have tried Windows Spyware, Ad-Aware, Spybot, CW but the trojans and spyware never give up. I recently deleted SideKick using instructions on this site, but it came right back. I keep getting threats from Window Anti Spyware that Monnet trojan and DotNet is trying to install etc.
My hijackthis log attached. I am desperate so any help would be appreciated.


Logfile of HijackThis v1.99.1
Scan saved at 12:29:07 AM, on 5/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\xyrqb.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,jtxulcf.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NPS Event Checker] D:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [WinampAgent] d:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Rdwl] C:\windows\Rdwl.exe
O4 - HKLM\..\Run: [C] C:\windows\C.exe
O4 - HKLM\..\Run: [9482db9e8e24] C:\WINNT\system32\commdlg3.exe
O4 - HKLM\..\Run: [vidmon] C:\WINNT\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [defender] c:\\defender20.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard20.exe
O4 - HKLM\..\Run: [newname] c:\\newname20.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINNT\CheckS02.exe
O4 - HKLM\..\Run: [w0281013.dll] RUNDLL32.EXE w0281013.dll,I2 000d811700281013
O4 - HKLM\..\Run: [pop06apelt] C:\WINNT\thiselt.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\owinmqaf.exe FI002
O4 - HKLM\..\Run: [ms067740115542] C:\WINNT\ms067740115542.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\hoambv.exe reg_run
O4 - HKLM\..\Run: [{E6-6D-D9-9C-ZN}] C:\winnt\system32\pldsregj.exe FI002
O4 - HKLM\..\Run: [ms044277401155] C:\WINNT\ms044277401155.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Wky] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [mmqf] C:\PROGRA~1\COMMON~1\mmqf\mmqfm.exe
O4 - HKCU\..\Run: [websct] C:\WINNT\system32\websct.exe
O4 - HKCU\..\Run: [Noso] "C:\DOCUME~1\nishant1\MYDOCU~1\DOBE~1\winlogon.exe" -vt rbnd
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Startup: Zeno.lnk = C:\WINNT\system32\owinmqaf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Subscribe to this feed - file://C:\Documents and Settings\nishant1\Application Data\AOL Fanfare\subscribe.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\samnsp.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://webwork-rhv.corp.ebay.com/dana-cach...oterisSetup.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/214f0eb8a55eb7a9d704/...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://webwork-rhv.corp.ebay.com/msrdp.cab....corp.ebay.com+
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E80ACD87-E7EE-46C4-AFAE-6DEFF2E1703F} - http://sbs-rel.nscp.aoltw.net/share/builds...ll-internal.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/install...nnerInstall.cab
O20 - AppInit_DLLs: repairs303169587.dll
O20 - Winlogon Notify: Applets - C:\WINNT\system32\s088lalu1dq8.dll
O20 - Winlogon Notify: Uninstall - C:\WINNT\system32\ktrol7931.dll (file missing)
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\bmlzaGFudA\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: NAV Alert - Symantec Corporation - D:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - D:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - D:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:13 AM

Posted 17 May 2006 - 07:18 AM

Hello,

I see you posted your log from safe mode. Please reboot back to normal mode to perform the instructions, because some need internetconnection.

It is really important you perform next instructions in the right order without missing any step!


Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

After reboot, go to start > controlpanel > software > add/remove programs and uninstall next if present:

Network Monitor
Surfsidekick
Command
Zenosearch
OINS
Purityscan
NewDotNet /NewNet


Most of these uninstalls require a reboot to get removed properly, so it is important you reboot everytime.

After reboot,

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing really happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report Together with the contents of Look2Me-Destroyer.txt present on your desktop and a new HiJackThis log.

Edited by miekiemoes, 17 May 2006 - 07:18 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 17 May 2006 - 04:25 PM

Look2Me-Destroyer.exe does not come up after 1 min, it never comes up after the initial screen. I rebooted and tried again, same thing. I have millions of processes running as soon as PC boots up, due to these spywares, could that be a reason why it doesnt come up ?

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:13 AM

Posted 17 May 2006 - 04:35 PM

Well, perform the rest of my steps then and try Look2me destroyer again afterwards before running the panda online scan.
If it still doesn't work, perform the Panda online scan and post the logs I asked. Then we'll see where we stand.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 17 May 2006 - 10:16 PM

I tried Look 2 me and it worked this time. So i followed all instructions in order.
Panda scan found 300 spywares but I was unable to get the log file. When i clicked on "Get Report" it said its checking internet connection and it can take a minute, it hasnt returned yet (as I type).
Pasting logs. Thanks for helping out.

------------------------------------------------------------------------------
Look2Me log
------------------------------------------------------------------------------
Look2Me-Destroyer V1.0.12


Scanning for infected files.....
Scan started at 5/17/2006 4:31:04 PM

Infected! C:\WINNT\system32\lvj6091se.dll
Infected! C:\WINNT\system32\ktrol7931.dll
Infected! C:\WINNT\system32\winmp32.dll
Infected! C:\WINNT\system32\nytdtect.dll
Infected! C:\WINNT\system32\itssuba.dll
Infected! C:\WINNT\system32\irxrtmgr.dll
Infected! C:\WINNT\system32\dmcprop.dll
Infected! C:\WINNT\system32\ltghours.dll
Infected! C:\WINNT\system32\utbui.dll
Infected! C:\WINNT\system32\n2n6lc5s1f.dll
Infected! C:\WINNT\system32\fplm0331e.dll
Infected! C:\WINNT\system32\lvj6091se.dll
Infected! C:\WINNT\system32\s6pulg7916.dll
Infected! C:\WINNT\system32\wGvemsp.dll
Infected! C:\WINNT\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\lvj6091se.dll
C:\WINNT\system32\lvj6091se.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\winmp32.dll
C:\WINNT\system32\winmp32.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\nytdtect.dll
C:\WINNT\system32\nytdtect.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\itssuba.dll
C:\WINNT\system32\itssuba.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\irxrtmgr.dll
C:\WINNT\system32\irxrtmgr.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\dmcprop.dll
C:\WINNT\system32\dmcprop.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\ltghours.dll
C:\WINNT\system32\ltghours.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\utbui.dll
C:\WINNT\system32\utbui.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\n2n6lc5s1f.dll
C:\WINNT\system32\n2n6lc5s1f.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\fplm0331e.dll
C:\WINNT\system32\fplm0331e.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\lvj6091se.dll
C:\WINNT\system32\lvj6091se.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\s6pulg7916.dll
C:\WINNT\system32\s6pulg7916.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\wGvemsp.dll
C:\WINNT\system32\wGvemsp.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{86FF5796-6D7E-438D-85A2-5F2DBDFAEC1E}"
HKCR\Clsid\{86FF5796-6D7E-438D-85A2-5F2DBDFAEC1E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

------------------------------------------------------------------------------
Hijack This Log
------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:06:29 PM, on 5/17/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
D:\PROGRA~1\Navnt\navapsvc.exe
D:\PROGRA~1\Navnt\npssvc.exe
D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
D:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\??oolsv.exe
C:\Program Files\Symantec\SYMEVENT.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\DOCUME~1\nishant1\MYDOCU~1\DOBE~1\winlogon.exe
D:\Program Files\Navnt\navapw32.exe
C:\bfu\BFU.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no

file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\xyrqb.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,jtxulcf.exe
N3 - Netscape 7: user_pref("browser.startup.homepage",

"http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and

Settings\nishant1\Application

Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWe

b_01.src"); (C:\Documents and Settings\nishant1\Application

Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -

C:\Program Files\E2G\IeBHOs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32

C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\owinmqaf.exe FI002
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe

-quiet
O4 - HKCU\..\Run: [Wky] C:\WINNT\system32\??oolsv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"

/background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware

Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [mmqf] C:\PROGRA~1\COMMON~1\mmqf\mmqfm.exe
O4 - HKCU\..\Run: [Noso] "C:\DOCUME~1\nishant1\MYDOCU~1\DOBE~1\winlogon.exe"

-vt rbnd
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Startup: Zeno.lnk = C:\WINNT\system32\owinmqaf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program

Files\Navnt\navapw32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program

Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Subscribe to this feed - file://C:\Documents

and Settings\nishant1\Application Data\AOL Fanfare\subscribe.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no

file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} -

(no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program

Files\AIM\aim.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client

Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -

D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class)

- http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) -

https://webwork-rhv.corp.ebay.com/dana-cach...oterisSetup.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) -

http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -

http://207.188.7.150/214f0eb8a55eb7a9d704/...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...icro.com/housec

all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment

1.4.2) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client

Control (redist)) -

https://webwork-rhv.corp.ebay.com/msrdp.cab....corp.ebay.com+
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment

1.4.1_02) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer

Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E80ACD87-E7EE-46C4-AFAE-6DEFF2E1703F} -

http://sbs-rel.nscp.aoltw.net/share/builds...ions/fanfare/r0

7_beta2/Windows/fanfare/en/af-install-internal.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} -

http://download.winfixer.com/files/install...5ScannerInstall.

cab
O20 - AppInit_DLLs: iniwin32.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner -

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation -

D:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation -

D:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation -

D:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner -

D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:13 AM

Posted 18 May 2006 - 12:31 AM

Hello,

Your log is almost impossible to read... so in notepad:
On top, click Format >uncheck Word Wrap.

Go to start > controlpanel and uninstall next programs if present:

OINS
Purityscan
NewDotNet


Reboot afterwards.

In case OINS and Purityscan is not listed there, download and use next uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

In case NewDotNet or New.Net is not listed there, download and use next uninstaller:
http://www.new.net/support/uninstall6_90.exe

Reboot afterwards.. really important!!

Then, Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="iniwin32.dllxxx"

[-HKEY_CLASSES_ROOT\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6}]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]


Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Then perform this step again... because I think you missed that part, or didn't perform it properly:
  • Download qoofix.bat (rightclick on this link and choose save as)
  • Place qoofix.bat in your C:\BFU - folder. (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 18 May 2006 - 02:19 AM

I did all the instructions this time. I installed "SpywareBlaster" and "Avast" which are recommended on this site.After I ran the unistaller for OINS and New.net, my PC is unable to connect to the internet. I have 3 computers and all but the infected one is now offline. I can ping my router and PC has valid IP address too. I can ping the PC from my laptop. Looks like browsers are screwed up somehow. You have any idea ?

Logs attached (I turned off Word Wrap. Some how I thought word wrapping is preferred by many :-))

----------------------------------------------------------------------------------------------------------
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/17/2006 4:31:04 PM

Infected! C:\WINNT\system32\lvj6091se.dll
Infected! C:\WINNT\system32\ktrol7931.dll
Infected! C:\WINNT\system32\winmp32.dll
Infected! C:\WINNT\system32\nytdtect.dll
Infected! C:\WINNT\system32\itssuba.dll
Infected! C:\WINNT\system32\irxrtmgr.dll
Infected! C:\WINNT\system32\dmcprop.dll
Infected! C:\WINNT\system32\ltghours.dll
Infected! C:\WINNT\system32\utbui.dll
Infected! C:\WINNT\system32\n2n6lc5s1f.dll
Infected! C:\WINNT\system32\fplm0331e.dll
Infected! C:\WINNT\system32\lvj6091se.dll
Infected! C:\WINNT\system32\s6pulg7916.dll
Infected! C:\WINNT\system32\wGvemsp.dll
Infected! C:\WINNT\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINNT\system32\lvj6091se.dll
C:\WINNT\system32\lvj6091se.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\winmp32.dll
C:\WINNT\system32\winmp32.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\nytdtect.dll
C:\WINNT\system32\nytdtect.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\itssuba.dll
C:\WINNT\system32\itssuba.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\irxrtmgr.dll
C:\WINNT\system32\irxrtmgr.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\dmcprop.dll
C:\WINNT\system32\dmcprop.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\ltghours.dll
C:\WINNT\system32\ltghours.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\utbui.dll
C:\WINNT\system32\utbui.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\n2n6lc5s1f.dll
C:\WINNT\system32\n2n6lc5s1f.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\fplm0331e.dll
C:\WINNT\system32\fplm0331e.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\lvj6091se.dll
C:\WINNT\system32\lvj6091se.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\s6pulg7916.dll
C:\WINNT\system32\s6pulg7916.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\wGvemsp.dll
C:\WINNT\system32\wGvemsp.dll Deleted successfully!

Attempting to delete: C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Uninstall

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{86FF5796-6D7E-438D-85A2-5F2DBDFAEC1E}"
HKCR\Clsid\{86FF5796-6D7E-438D-85A2-5F2DBDFAEC1E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded
----------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:13:37 AM, on 5/18/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
D:\PROGRA~1\Navnt\navapsvc.exe
D:\PROGRA~1\Navnt\npssvc.exe
D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\PROGRA~1\Navnt\alertsvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Navnt\navapw32.exe
D:\Palm\HOTSYNC.EXE
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\owinmqaf.exe FI002
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [mmqf] C:\PROGRA~1\COMMON~1\mmqf\mmqfm.exe
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Startup: Zeno.lnk = C:\WINNT\system32\owinmqaf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = D:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Subscribe to this feed - file://C:\Documents and Settings\nishant1\Application Data\AOL Fanfare\subscribe.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://webwork-rhv.corp.ebay.com/dana-cach...oterisSetup.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/214f0eb8a55eb7a9d704/...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://webwork-rhv.corp.ebay.com/msrdp.cab....corp.ebay.com+
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E80ACD87-E7EE-46C4-AFAE-6DEFF2E1703F} - http://sbs-rel.nscp.aoltw.net/share/builds...ll-internal.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/install...nnerInstall.cab
O20 - AppInit_DLLs: iniwin32.dllxxx
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - D:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - D:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - D:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:13 AM

Posted 18 May 2006 - 06:21 AM

The reason why your pc is unable to connect to the internet is most probably because of the NewDotNet uninstaller and an antivirus or/and antispywarescanner interfering with it, so it corrupted your LSP as I see here in your log:
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet7_22.dll' missing

To fix it, use the uninstaller from NewDotNet again:
http://www.new.net/support/uninstall6_90.exe
(make sure your antivirus or another scanner is not deleting it or interfering here)
If that doesn't work, *Download WinsockFix to your healthy computer. Transfer it to your bad computer using usb stick or cdrom.
Place it on your desktop.
Start Winsockfix.exe and click "Reg backup"
Your current registry will be saved in the folder "ERDNT"
Then click FIX
Your system will reboot.

But.. I also have to tell you here, I see you have installed another antivirus while Norton was already present...
Never install more than one antivirusscanner or firewall on your system! Several together can give problems, cause a serious system slowdown, are not compatible and decrease the reliability of it seriously!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\owinmqaf.exe FI002
O4 - HKCU\..\Run: [mmqf] C:\PROGRA~1\COMMON~1\mmqf\mmqfm.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\owinmqaf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://webwork-rhv.corp.ebay.com/dana-cach...oterisSetup.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/214f0eb8a55eb7a9d704/...ip/RdxIE601.cab
O16 - DPF: {E80ACD87-E7EE-46C4-AFAE-6DEFF2E1703F} - http://sbs-rel.nscp.aoltw.net/share/builds...ll-internal.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winfixer.com/files/install...nnerInstall.cab
O20 - AppInit_DLLs: iniwin32.dllxxx


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!


* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\E2G <== folder
C:\WINNT\system32\owinmqaf.exe
C:\PROGRAM Files\COMMON Files\mmqf <== folder
C:\WINNT\system32\owinmqaf.exe
C:\Windows\system32\iniwin32.dll

Update your Sun Java, because you have a vulnerable version installed:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Perform next step also again..
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Strange concerning the Panda scan and log, seen it before today (I'll have to check that myself), so try this online scanner instead:
Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply together with a new hijackthislog.

Edited by miekiemoes, 18 May 2006 - 06:22 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 20 May 2006 - 04:39 PM

I could not run Panda scan because my virus scanner didnt allow it to download the active X, but I did use the kaspersky scan. Both hijack this and kasper logs attached. The kasper scan was saved as html file, and this site doesnt allow HTML I guess. Can you save the result as HTML and view it ? If not then let me know if there is any other way.

Logfile of HijackThis v1.99.1
Scan saved at 2:29:12 PM, on 5/20/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Palm\HOTSYNC.EXE
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Subscribe to this feed - file://C:\Documents and Settings\nishant1\Application Data\AOL Fanfare\subscribe.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://webwork-rhv.corp.ebay.com/msrdp.cab....corp.ebay.com+
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - AppInit_DLLs: iniwin32.dllxxx
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe

-----------------------------------------------------------------------------------------------------------
<html>
<head>
<title>KASPERSKY ON-LINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ON-LINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Saturday, May 20, 2006 2:27:56 PM<br>
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)<br>
Kaspersky On-line Scanner version: 5.0.78.0<br>
Kaspersky Anti-Virus database last update: 20/05/2006<br>
Kaspersky Anti-Virus database records: 195227<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
A:\<br>
C:\<br>
D:\<br>
E:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>67913</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>44</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>84</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>03:25:36</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\nsg68.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.HotSearchBar.i </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\commdlg3.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.UrlSpy.b </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\ddrawex4.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.UrlSpy.b </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\cnbjmon4.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.UrlSpy.b </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\oins.exe </td>
<td>Infected: Trojan-Downloader.Win32.PurityScan.be </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\nsz74.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.SideFind.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\explorer.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.cvy </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\dwdsregt.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.ZenoSearch.o </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\VSL03.exe/data0004 </td>
<td>Infected: Trojan-Downloader.Win32.Small.ctp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\VSL03.exe/data0005 </td>
<td>Infected: Trojan-Downloader.Win32.Small.ajc </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\VSL03.exe </td>
<td>NSIS: infected - 2 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\pldsregj.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.ZenoSearch.o </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\system32\ad.html </td>
<td>Infected: Trojan-Clicker.JS.Agent.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\unist2.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.ShopNav.l </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\mtuninst.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.MediaTickets.u </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\mirar.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.NetNucleus </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\pop06ap2.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.MediaMotor.l </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\chadch.exe/stream/data0002 </td>
<td>Infected: not-a-virus:AdWare.Win32.SideFind.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\chadch.exe/stream </td>
<td>Infected: not-a-virus:AdWare.Win32.SideFind.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\chadch.exe </td>
<td>NSIS: infected - 2 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\optimize.exe </td>
<td>Infected: Trojan-Downloader.Win32.Dyfuca.ey </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\CCZoop05.exe </td>
<td>Infected: Trojan.Win32.VB.tg </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\YOINSI.exe/data0002 </td>
<td>Infected: Trojan.Win32.Scapur.k </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\YOINSI.exe </td>
<td>NSIS: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\NDNuninstall6_38.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINNT\NDNuninstall7_22.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\nishant1\Desktop\OiUninstaller.exe/data0003 </td>
<td>Infected: not-a-virus:AdWare.Win32.PurityScan.bu </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\nishant1\Desktop\OiUninstaller.exe </td>
<td>NSIS: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\nishant1\Desktop\uninstall6_90.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\nishant1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-4514e5ea-54934bd7.zip/javainstaller/InstallerApplet.class </td>
<td>Infected: Trojan-Downloader.Java.OpenStream.t </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\nishant1\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-4514e5ea-54934bd7.zip </td>
<td>ZIP: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.f </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Download\mc-110-12-0000118.exe/stream/data0003/stream/data0004 </td>
<td>Infected: not-a-virus:RiskTool.Win32.PsKill.n </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Download\mc-110-12-0000118.exe/stream/data0003/stream/data0005 </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Download\mc-110-12-0000118.exe/stream/data0003/stream </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Download\mc-110-12-0000118.exe/stream/data0003 </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Download\mc-110-12-0000118.exe/stream </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Download\mc-110-12-0000118.exe </td>
<td>NSIS: infected - 5 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\NetMeeting\wcb32.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\041A854E-46D2-45AA-8C63-8FB143\BCF7E19E-B387-4124-AA5A-184A71 </td>
<td>Infected: not-a-virus:AdWare.Win32.Mirar.b </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\C42168DA-1B7F-4070-A225-305F90\5EA58A76-75C0-4C9E-8BBD-5C9EAD </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\C42168DA-1B7F-4070-A225-305F90\E830DB67-7D61-4957-9758-555CE6 </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\C42168DA-1B7F-4070-A225-305F90\3B543288-FAAA-4C86-8C6F-F6EF5F </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\F23CCD00-708E-44BC-A9AB-59F88B\F4EEC4DE-ED33-4345-ACEA-35252B </td>
<td>Infected: not-a-virus:AdWare.Win32.Softomate.j </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\700A891B-2EBE-4B2A-BE6C-7D607A\FC44FAF8-B06C-4A4D-A002-374524 </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\81878865-2D42-4A34-B0C1-80917C\9F49DA7B-4BC6-4290-95FE-48B214 </td>
<td>Infected: Trojan-Downloader.Win32.Agent.agw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\BB56B500-0F31-47D5-A462-5BCA91\579C6426-A31B-4540-8D3B-FA6D7E </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\BB56B500-0F31-47D5-A462-5BCA91\950C7C1F-92EB-450A-AE42-3CEA8A </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\A7572582-C5D5-40ED-8C19-03828C\560C315B-D95E-4721-B163-82E819 </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\A7572582-C5D5-40ED-8C19-03828C\43E001A9-456A-401E-80F8-6CC928 </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\D8D92981-D746-415D-B18C-17FF59\F825C44B-64EF-4778-8CF1-5333EE </td>
<td>Infected: Trojan-Downloader.Win32.Agent.agw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\12059890-6CB3-493C-84D4-549CEF\9175933A-84EB-4B1C-9BC4-F332F1 </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\12059890-6CB3-493C-84D4-549CEF\129D7445-95DB-4920-B9DA-CE1145 </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\12059890-6CB3-493C-84D4-549CEF\ABDD2C92-E3FA-4771-978B-309191 </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft AntiSpyware\Quarantine\CE019B38-46DC-40D2-A538-18A525\0DF02C64-D525-4360-B71F-ABC747 </td>
<td>Infected: not-a-virus:AdWare.Win32.MyWebSearch.o </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Windows\WinUpdate.exe/stream/data0004 </td>
<td>Infected: not-a-virus:RiskTool.Win32.PsKill.n </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Windows\WinUpdate.exe/stream/data0005 </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Windows\WinUpdate.exe/stream </td>
<td>Infected: not-a-virus:AdWare.Win32.Agent.y </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Windows\WinUpdate.exe </td>
<td>NSIS: infected - 3 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Rdwl.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.Midadle.b </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\C.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.Midadle.e </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\installerwnus.exe </td>
<td>Infected: Trojan-Downloader.Win32.Qoologic.at </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\drsmartload1.exe </td>
<td>Infected: Trojan-Downloader.Win32.Adload.ap </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\keyboard19.exe </td>
<td>Infected: Trojan-Downloader.Win32.VB.ys </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\newname19.exe </td>
<td>Infected: Trojan-Downloader.Win32.VB.aci </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Trelew.exe/data0006 </td>
<td>Infected: Trojan-Dropper.Win32.VB.mz </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Trelew.exe </td>
<td>NSIS: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\503_617.exe </td>
<td>Infected: Trojan-Dropper.Win32.Agent.amf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\hijackthis\backups\backup-20060520-103417-326.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.MediaMotor.n </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\newname20.exe </td>
<td>Infected: Trojan-Downloader.Win32.VB.adb </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WHCC2.exe/data.rar/whAgent.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.WebHancer.351 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WHCC2.exe/data.rar/whSurvey.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.WebHancer.381 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WHCC2.exe/data.rar/webhdll.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.WebHancer.381 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WHCC2.exe/data.rar/whiehlpr.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.WebHancer.381 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WHCC2.exe/data.rar </td>
<td>Infected: not-a-virus:AdWare.Win32.WebHancer.381 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WHCC2.exe </td>
<td>RarSFX: infected - 5 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\VSL.dl_ </td>
<td>Infected: Trojan-Downloader.Win32.Small.ctp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\drsmartload45a.exe </td>
<td>Infected: Trojan-Downloader.Win32.Adload.bj </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\drsmartload46a.exe </td>
<td>Infected: Trojan-Downloader.Win32.Adload.bi </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\defender20.exe </td>
<td>Infected: Trojan-Clicker.Win32.VB.ly </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\keyboard20.exe </td>
<td>Infected: Trojan-Downloader.Win32.VB.ada </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\NNSCAA638.EXE </td>
<td>Infected: not-a-virus:AdWare.Win32.NewDotNet </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>D:\Program Files\Altnet\Download Manager\asm.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.Altnet.m </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='3' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:13 AM

Posted 20 May 2006 - 06:24 PM

This is still quite a collection you are having there....

Check and fix next entry in hijackthis again:

O20 - AppInit_DLLs: iniwin32.dllxxx

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete next files:

D:\Program Files\Altnet <== folder
C:\keyboard20.exe
C:\defender20.exe
C:\drsmartload46a.exe
C:\drsmartload45a.exe
C:\VSL.dl_
C:\WHCC2.exe
C:\newname20.exe
C:\503_617.exe
C:\Trelew.exe
C:\newname19.exe
C:\keyboard19.exe
C:\drsmartload1.exe
C:\WINDOWS\installerwnus.exe
C:\WINDOWS\C.exe
C:\WINDOWS\Rdwl.exe
C:\Program Files\Windows\WinUpdate.exe
C:\Program Files\NetMeeting\wcb32.exe
C:\Program Files\Common Files\Download\mc-110-12-0000118.exe
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe
C:\Documents and Settings\nishant1\Desktop\uninstall6_90.exe
C:\Documents and Settings\nishant1\Desktop\OiUninstaller.exe
C:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe
C:\WINNT\NDNuninstall7_22.exe
C:\WINNT\NDNuninstall6_38.exe
C:\WINNT\YOINSI.exe
C:\WINNT\CCZoop05.exe
C:\WINNT\optimize.exe
C:\WINNT\chadch.exe
C:\WINNT\pop06ap2.exe
C:\WINNT\mirar.exe
C:\WINNT\mtuninst.exe
C:\WINNT\unist2.exe
C:\WINNT\system32\ad.html
C:\WINNT\system32\pldsregj.exe
C:\WINNT\system32\VSL03.exe
C:\WINNT\system32\dwdsregt.exe
C:\WINNT\system32\explorer.exe <== don't try to delete the explorer.exe present in your WINNT folder!!
C:\WINNT\system32\nsz74.dll
C:\WINNT\system32\oins.exe
C:\WINNT\system32\cnbjmon4.exe
C:\WINNT\system32\ddrawex4.exe
C:\WINNT\system32\commdlg3.exe
C:\WINNT\system32\nsg68.dll

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

If you are having problems with deleting some, try it in safe mode.
Read here if you're not sure how to boot in safe mode:
http://www.computerhope.com/issues/chsafe.htm#02

Empty your recycle bin afterwards.

Post a new hijackthislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 May 2006 - 12:16 PM

I got the following error while deleting O20 - AppInit_DLLs: iniwin32.dllxxx
I am going ahead with rest of the steps in meantime.


An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: iniwin32.dllxxx)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.00.2195
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

#12 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 May 2006 - 12:39 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:33:54 AM, on 5/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Palm\HOTSYNC.EXE
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\nishant1\Application Data\Mozilla\Profiles\default\cg6pmgua.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Subscribe to this feed - file://C:\Documents and Settings\nishant1\Application Data\AOL Fanfare\subscribe.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://webwork-rhv.corp.ebay.com/msrdp.cab....corp.ebay.com+
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - D:\PROGRA~1\NTS\ENTERN~1\app\pppoeservice.exe

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:13 AM

Posted 21 May 2006 - 01:04 PM

Hello,

Yes, I know that fixing an O20 gives that error in hijackthis, that's because it failed to create a backup of that key, but it's getting deleted after all. :thumbsup:

Your hijackthislog looks clean again, how are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 nisthana

nisthana
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 21 May 2006 - 03:43 PM

Hello,
Yes my computer is faster than before and there are no popups. I can actually use IE now.
Do you recommend any software that will keep my computer safe ?
I have Avant Antivirus and Spyware blaster installed. I have unistalled everything else as suggested.
Thank you very much for saving my computer. You guys ROCCCKKK !!!
- nisthana

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:13 AM

Posted 21 May 2006 - 03:49 PM

Hello,

Well, I also do recommend Spybot S&D and Adaware SE if you don't have these programs yet. :thumbsup:
They are Free and you can find the download locations in my signature under AntiSpywarescanners. :flowers:

So once installed, perform a will scan with them to get rid of the leftovers if still present.

But main important part of keeping a system clean is your behavior. Stay away from cracksites and other 'illegal' sites, because that's where malware is lurking. Also, when using a p2p program, beware what you download.. it's not always what it looks.
An antivirus or spywarescanner won't always protect you though - it only protects against the known malware. They won't flag new malware, so prevention is better than the cure.
Also read in my signature under prevention and watch the movies there. :huh:

To keep this clean in the future, I would suggest the following things:

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :huh:

Edited by miekiemoes, 21 May 2006 - 03:50 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users