Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

http://mypoisk.com/index.htm


  • This topic is locked This topic is locked
18 replies to this topic

#1 tiru

tiru

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 June 2004 - 11:39 AM

anybody please help I'm going nuts here, so far i can understand i got cws and it keeps changing my home page and adding pages to my favorites. i used, spyboot search and destroy, pest patrols, norton, stinger, adn the removal tool CWshredder and nothing it just keep on showing.

I'm running on xp and disabled system restore but it just seems to stay.

also using all of those programs o got rid of things i font even know if they men to be there.

Please help i got no clue what to do

tiru

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:20 PM

Posted 02 June 2004 - 12:28 PM

Please do the following:

Create a directory on your hardrive to save HijackThis.exe. A directory like c:\hijackthis. If you do not do this, you will not be able to use the backup/restore features.

Download HijackThis from:

HijackThis

Save this file into the directory you made previously and then run the program. Click on the Scan button and when it is finished click on the Save Log button. A Notepad window will open with the contents of this log. Click on Edit then click on Select all. Then click on Edit and then Click on Copy.

Create a reply to this post, and right click in message area and select paste to paste the log into the post.

Someone will reply to you after reading this post. DO NOT fix any entries unless you understand what you are doing.

To see a tutorial on using HijackThis you can click on the link below:

HijackThis - Using HijackThis to Remove Spyware, Browser Hijackers, and Dialers

#3 tiru

tiru
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 June 2004 - 12:50 PM

hey i can do the ctrl+c ctrl+v thing im not that newbe, any ways here is ther result of the scan

Logfile of HijackThis v1.97.7
Scan saved at 01:48:58 p.m., on 02/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\Smtray.exe
D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
D:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe
D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Archivos de programa\iTunes\iTunesHelper.exe
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\System32\ctfmon.exe
D:\windows\dllhelp.exe
D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
D:\Palm\HOTSYNC.EXE
D:\Archivos de programa\MSN Messenger\msnmsgr.exe
D:\Archivos de programa\Sony Corporation\Image Transfer\SonyTray.exe
D:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
D:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
D:\Archivos de programa\iPod\bin\iPodService.exe
D:\Archivos de programa\PestPatrol\PPControl.exe
D:\Archivos de programa\Messenger\msmsgs.exe
D:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoisk.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoisk.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoisk.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoisk.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoisk.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.webshots.com/r/internal/start/client/RAND
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Fantom CD Autorun] D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe /startup
O4 - HKLM\..\Run: [ccApp] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] D:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mmtask] D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\ARCHIV~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PPMemCheck] D:\ARCHIV~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\ARCHIV~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus2] "D:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [dllhelp] d:\windows\dllhelp.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Archivos de programa\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: D:\Archivos de programa\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A85541E-EDBB-43E2-9DEB-49048A1DA632}: NameServer = 200.87.100.10,200.87.100.40

tiru :thumbsup:

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:20 PM

Posted 02 June 2004 - 01:03 PM

My directions are the same for everyone. Its a canned speech :flowers:

As is the next stuff :thumbsup:

This step is optional. Messenger plus is known to install hijackers. If that does not bother you than continue using it, otherwise go into Control Panel and Then Add/Remove programs and remove Messenger Plus.

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoisk.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoisk.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoisk.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoisk.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoisk.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.webshots.com/r/internal/start/client/RAND
O4 - HKCU\..\Run: [dllhelp] d:\windows\dllhelp.exe

Reboot your computer into Safe Mode and delete the following files:

Then delete these
d:\windows\dllhelp.exe

Disable System Restore. You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore
or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above

Reboot your computer to go back to normal mode and post a new log.

#5 tiru

tiru
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 June 2004 - 01:38 PM

:thumbsup: sweet everything seems to be normal again, it suck for the mns plus it was fun but hijackers like cws gave me so much trouble that i rather take it out, any way here is the new log.

Logfile of HijackThis v1.97.7
Scan saved at 02:34:54 p.m., on 02/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\Smtray.exe
D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Archivos de programa\iTunes\iTunesHelper.exe
D:\ARCHIV~1\PESTPA~1\PPControl.exe
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
D:\ARCHIV~1\PESTPA~1\PPMemCheck.exe
D:\ARCHIV~1\PESTPA~1\CookiePatrol.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
D:\Palm\HOTSYNC.EXE
D:\Archivos de programa\Sony Corporation\Image Transfer\SonyTray.exe
D:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
D:\Archivos de programa\iPod\bin\iPodService.exe
D:\Archivos de programa\MSN Messenger\msnmsgr.exe
D:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
D:\Archivos de programa\Yahoo!\Messenger\ypager.exe
D:\Archivos de programa\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cgchannel.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Fantom CD Autorun] D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe /startup
O4 - HKLM\..\Run: [ccApp] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [MessengerPlus2] "D:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] D:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mmtask] D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\ARCHIV~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PPMemCheck] D:\ARCHIV~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\ARCHIV~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Archivos de programa\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: D:\Archivos de programa\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A85541E-EDBB-43E2-9DEB-49048A1DA632}: NameServer = 200.87.100.10,200.87.100.40

do i hide the hiden files again?

tiru

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:20 PM

Posted 02 June 2004 - 02:24 PM

Just fix this line in hijackthis and your clean:

O4 - HKLM\..\Run: [MessengerPlus2] "D:\Archivos de programa\Messenger Plus! 2\MsgPlus.exe"


Nah I would keep the hidden files visible. Doesnt hurt to allow you to see all the files.

#7 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 02 June 2004 - 02:27 PM

Hi tiru

do i hide the hiden files again?

Doesn't matter. Unless you delete files that you don't know what they do. Then for sure hide them again.

I'm running on xp and disabled system restore but it just seems to stay.

Disabling System Restore in that situation will never deactivate a hijacker or any other malicious file. I want you to know that because it's becoming a myth that System Restore is hiding files that are causing problems. Hijackers/malware when installed make themselves part of the system. When a Restore point is created (usually automatically) a backup is made of most of the registry and system. That backup is locked down and inactive--it will only be activated if you use that Restore point to go back to an earlier time, i.e., you use System Restore. Disabling and then re-enabling System Restore will delete all Restore Points--this is recommended after you have been infected as a precaution so that you don't accidentally reinfect yourself by using Sytem Restore and reactivating the backed up malware. Most of the time System Restore can be quite handy.

Edited by Papakid, 02 June 2004 - 02:29 PM.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#8 tiru

tiru
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 June 2004 - 02:49 PM

hey thanks a lot guys, if only I would of founf this page before, any ways i rather hide the files. its a family pc and u never know hows is on and what are they errasing so better keep safe.

one question, what kind of harm can i expect from the hijacker? should i change paswords and stuff like that or its just an anoying program?

once again thanks

tiru

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:20 PM

Posted 02 June 2004 - 03:20 PM

Generally hijackers do not steal passwords or other information, but that is not to say that they do not. If you would feel more comfortable then changing the passwords can never hurt.

#10 tiru

tiru
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 June 2004 - 04:59 PM

since i got rid of the hijacker my pc seems to crash pretty often, any sugestions?

tiru

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 02 June 2004 - 06:24 PM

You may not be out of the woods yet Tiru. Are you getting any popups? There are indications of a supersneaky pest. Let's see if we can find that puppy. Try this:

Step 1. Download DLLFix from one of the following links. Save it to a folder on your root drive, which is C:\ for most people:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix, open the folder and double-click on start.bat

Step 5. Run Option 1 by pressing 1on the keyboard then enter. The program will now start searching.

Step 6. Once the search is complete a text file should open with the name Output.txt. Copy and Paste the contents of this text file to your next reply to this post. And a new HijackThis log.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#12 tiru

tiru
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 June 2004 - 08:10 PM

*** ****(language edited out by Papakid) this thing are probin to be more anoying that i expected, guess the inexpirience, well anyway i dont get popups luckly it just crashes some times no aparent reason.

here are the results for the scan u just ask and the hijackthis.

--==***@@@ FIND-ALL' VERSION MODIFIED -5/27 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

02/06/2004
09:09 p.m.

System Info:

Microsoft Windows XP [Versi¢n 5.1.2600]
D: "WindowsXP" (AC90:2BDC) - FS:NTFS clusters:4k
Total: 20 003 848 192 [19G] - Free: 7 752 855 552 [7.2G]


*IE version and Service packs:
6.0.2800.1106 D:\Archivos de programa\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 D:\WINDOWS\system32\notepad.exe
5.1.2600.0 D:\WINDOWS\notepad.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;



Locked or 'Suspect' file(s) found...


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"


! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_Dlls REG_SZ

*Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Usuarios
(IO) ALLOW Read BUILTIN\Usuarios
(NI) ALLOW Read BUILTIN\Usuarios avanzados
(IO) ALLOW Read BUILTIN\Usuarios avanzados
(NI) ALLOW Full access BUILTIN\Administradores
(IO) ALLOW Full access BUILTIN\Administradores
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administradores
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Usuarios
Read BUILTIN\Usuarios avanzados
Full access BUILTIN\Administradores
Full access NT AUTHORITY\SYSTEM




Logfile of HijackThis v1.97.7
Scan saved at 09:11:34 p.m., on 02/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\System32\Smtray.exe
D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Archivos de programa\iTunes\iTunesHelper.exe
D:\ARCHIV~1\PESTPA~1\PPControl.exe
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
D:\ARCHIV~1\PESTPA~1\PPMemCheck.exe
D:\ARCHIV~1\PESTPA~1\CookiePatrol.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\MSN Messenger\msnmsgr.exe
D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
D:\Palm\HOTSYNC.EXE
D:\Archivos de programa\Sony Corporation\Image Transfer\SonyTray.exe
D:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
D:\Archivos de programa\iPod\bin\iPodService.exe
D:\Archivos de programa\Internet Explorer\iexplore.exe
D:\WINDOWS\explorer.exe
D:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
D:\Archivos de programa\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cgchannel.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Fantom CD Autorun] D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe /startup
O4 - HKLM\..\Run: [ccApp] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] D:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mmtask] D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\ARCHIV~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PPMemCheck] D:\ARCHIV~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\ARCHIV~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: D:\Archivos de programa\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A85541E-EDBB-43E2-9DEB-49048A1DA632}: NameServer = 200.87.100.10,200.87.100.40

tiru

Edited by Papakid, 02 June 2004 - 08:39 PM.


#13 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 02 June 2004 - 08:33 PM

Well, the bad news is that DllFix is the wrong tool. The good news is that a fix for your issue has recently been developed. Hang on a few minutes and I'll pass it on.

And tiru, please watch the language. We're not all adults here. I'm editing that out.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#14 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:20 PM

Posted 02 June 2004 - 09:50 PM

OK, tiru, I'm not 100% sure this will solve the crash issue, but let's make sure you've removed all files associated with mypoisk.com/index.htm. Unhide your files whiles you work on this.

First, run CWShredder again in safe mode. Then follow these steps.

1. While still in safe mode, navigate to the C:\WINDOWS\system32 folder and delete the file if found--if it's not there don't worry about it:

winlogin.exe <= This file, NOTICE the spelling. Please watch that you do not delete winlogon.exe (that is a legit file in the same directory)

2. Do a file Search and delete any of these files if found:
winlogon.exe in any location other than c:\windows\system32.
c:\windows\system32\winlogon.exe is a legitimate, system file that MUST NOT be deleted. One of the more common places for winlogon.exe to hide is C:\Documents and Settings\All Users\Start Menu\Programs <= Be sure to check this location.

m.exe
dlltemp.exe
dllhelp.exe

3. While still in safe mode please run CoolWeb Shredder one more time and let it FIX all problems.
4. RESTART back in Normal mode. Don't open a browser yet.
5. Instead, access your "Internet options" via "Control Panel" and under the "Programs" tab, "Reset Web Settings".
6. Run Disk Cleanup making sure Temporary Internet Files and Temp files are cleaned up.
7. Post back a fresh Hijackthis log.

Let us know how it goes and if you have any questions. If you're still having problems we may have to do some more tricky searching for some more files.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#15 tiru

tiru
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 02 June 2004 - 10:54 PM

ok didnt find anithing, but one thing i have os 98 and xp in this machine, normaly work on xp and 98 is just a back up, xp is instaled in d drive so when ever u say c:\windows, im asumin u mean the main os wich this case is xp on d, just wanted to make sure.

i did everything u said and found nothing any way here are the hijackthis logs.

Logfile of HijackThis v1.97.7
Scan saved at 11:50:42 p.m., on 02/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\Smtray.exe
D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe
D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
D:\WINDOWS\System32\drivers\CDAC11BA.EXE
D:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
D:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
D:\Archivos de programa\iTunes\iTunesHelper.exe
D:\ARCHIV~1\PESTPA~1\PPControl.exe
D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
D:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
D:\ARCHIV~1\PESTPA~1\PPMemCheck.exe
D:\ARCHIV~1\PESTPA~1\CookiePatrol.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Archivos de programa\MSN Messenger\msnmsgr.exe
D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\WINDOWS\DvzCommon\DvzMsgr.exe
D:\Palm\HOTSYNC.EXE
D:\Archivos de programa\Sony Corporation\Image Transfer\SonyTray.exe
D:\WINDOWS\system32\ntvdm.exe
C:\OPLIMIT\ocrawr32.exe
D:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
D:\Archivos de programa\iPod\bin\iPodService.exe
D:\Archivos de programa\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cgchannel.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Archivos de programa\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Archivos de programa\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Fantom CD Autorun] D:\Archivos de programa\Copystar\Fantom CD\fcdm.exe /startup
O4 - HKLM\..\Run: [ccApp] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] D:\Archivos de programa\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [TkBellExe] "D:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ICQ Lite] D:\Archivos de programa\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mmtask] D:\Archivos de programa\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Archivos de programa\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\ARCHIV~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PPMemCheck] D:\ARCHIV~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\ARCHIV~1\PESTPA~1\CookiePatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Archivos de programa\ICQLite\ICQLite.exe -trayboot
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Global Startup: Acrobat Assistant.lnk = D:\Archivos de programa\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = D:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Palm\HOTSYNC.EXE
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = D:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Archivos de programa\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://D:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Archivos de programa\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: D:\Archivos de programa\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .UVR: D:\Archivos de programa\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A85541E-EDBB-43E2-9DEB-49048A1DA632}: NameServer = 200.87.100.10,200.87.100.40

:thumbsup:

and sorry for the things i said that u had to censor

tiru




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users