Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis log


  • Please log in to reply
4 replies to this topic

#1 brokeroad

brokeroad

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 18 December 2004 - 05:51 AM

Hi, I can't get rid of this searchweb toolbar and getting lots of ads. I've removed MsgPlus 3, run Adware SE, AVG Vers 6, Spybot 1.3, but when starting IE the searchweb toolbar is there. I would be grateful if someone could look at my HJT log and offer me some advise:

Logfile of HijackThis v1.98.2
Scan saved at 10:45:23, on 18/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\sdwork\issimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dmvnnylgbkzmdv.com/M4KNEgROKTYg...dCYVCVbLAMN.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.advfn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O1 - Hosts: 127.0.0.0 localhost
O1 - Hosts: 127.0.0.2 auditmypc.com
O1 - Hosts: 127.0.0.3 boards.cexx.org
O1 - Hosts: 127.0.0.4 bulletproofsoft.net
O1 - Hosts: 127.0.0.5 camtech2000.net
O1 - Hosts: 127.0.0.6 cexx.org
O1 - Hosts: 127.0.0.7 computercops.us
O1 - Hosts: 127.0.0.8 ct7support.com
O1 - Hosts: 127.0.0.9 doxdesk.com
O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
O1 - Hosts: 127.0.0.21 kephyr.com
O1 - Hosts: 127.0.0.24 lurkhere.com
O1 - Hosts: 127.0.0.25 majorgeeks.com
O1 - Hosts: 127.0.0.26 merijn.org
O1 - Hosts: 127.0.0.27 mjc1.com
O1 - Hosts: 127.0.0.28 moosoft.com
O1 - Hosts: 127.0.0.29 mvps.org
O1 - Hosts: 127.0.0.30 net-integration.net
O1 - Hosts: 127.0.0.31 noadware.net
O1 - Hosts: 127.0.0.32 no-spybot.com
O1 - Hosts: 127.0.0.33 onlinepcfix.com
O1 - Hosts: 127.0.0.34 pchell.com
O1 - Hosts: 127.0.0.35 pestpatrol.com
O1 - Hosts: 127.0.0.36 safer-networking.org
O1 - Hosts: 127.0.0.37 secure.spykiller.com
O1 - Hosts: 127.0.0.38 secureie.com
O1 - Hosts: 127.0.0.39 security.kolla.de
O1 - Hosts: 127.0.0.40 spybot.info
O1 - Hosts: 127.0.0.41 spychecker.com
O1 - Hosts: 127.0.0.42 spychecker.com
O1 - Hosts: 127.0.0.43 spycop.com
O1 - Hosts: 127.0.0.44 spyguard.com
O1 - Hosts: 127.0.0.45 spykiller.com
O1 - Hosts: 127.0.0.46 spyware.co.uk
O1 - Hosts: 127.0.0.47 spyware-cop.com
O1 - Hosts: 127.0.0.48 spywareinfo.com
O1 - Hosts: 127.0.0.49 spywarenuker.com
O1 - Hosts: 127.0.0.50 spywareremove.com
O1 - Hosts: 127.0.0.51 spywareremove.com
O1 - Hosts: 127.0.0.52 stopzillapro.com
O1 - Hosts: 127.0.0.53 sunbelt-software.com
O1 - Hosts: 127.0.0.54 thiefware.com
O1 - Hosts: 127.0.0.55 tomcoyote.org
O1 - Hosts: 127.0.0.56 unwantedlinks.com
O1 - Hosts: 127.0.0.57 webattack.com
O1 - Hosts: 127.0.0.58 wilders.org
O1 - Hosts: 127.0.0.59 www.auditmypc.com
O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
O1 - Hosts: 127.0.0.61 www.cexx.org
O1 - Hosts: 127.0.0.62 www.computercops.us
O1 - Hosts: 127.0.0.63 www.ct7support.com
O1 - Hosts: 127.0.0.64 www.doxdesk.com
O1 - Hosts: 127.0.0.65 www.eblocs.com
O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
O1 - Hosts: 127.0.0.69 www.grc.com
O1 - Hosts: 127.0.0.70 www.grisoft.com
O1 - Hosts: 127.0.0.71 www.hackfaq.org
O1 - Hosts: 127.0.0.72 www.hazeleger.net
O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
O1 - Hosts: 127.0.0.75 www.kephyr.com
O1 - Hosts: 127.0.0.78 www.lurkhere.com
O1 - Hosts: 127.0.0.79 www.majorgeeks.com
O1 - Hosts: 127.0.0.80 www.merijn.org
O1 - Hosts: 127.0.0.81 www.mjc1.com
O1 - Hosts: 127.0.0.82 www.moosoft.com
O1 - Hosts: 127.0.0.83 www.mvps.org
O1 - Hosts: 127.0.0.84 www.net-integration.net
O1 - Hosts: 127.0.0.85 www.noadware.net
O1 - Hosts: 127.0.0.86 www.no-spybot.com
O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
O1 - Hosts: 127.0.0.88 www.pchell.com
O1 - Hosts: 127.0.0.89 www.pestpatrol.com
O1 - Hosts: 127.0.0.90 www.safer-networking.org
O1 - Hosts: 127.0.0.91 www.secureie.com
O1 - Hosts: 127.0.0.92 www.security.kolla.de
O1 - Hosts: 127.0.0.93 www.spybot.info
O1 - Hosts: 127.0.0.94 www.spychecker.com
O1 - Hosts: 127.0.0.95 www.spychecker.com
O1 - Hosts: 127.0.0.96 www.spycop.com
O1 - Hosts: 127.0.0.97 www.spyguard.com
O1 - Hosts: 127.0.0.98 www.spykiller.com
O1 - Hosts: 127.0.0.99 www.spyware.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\SysShield Tools\Internet Eraser\PKExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [uvyhorgz] C:\WINDOWS\uvyhorgz.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [chic dumb default 32] C:\Documents and Settings\All Users\Application Data\way wave chic dumb\EggsDvd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [longdriveloadwindow] C:\Documents and Settings\All Users\Application Data\moreboltlongdrive\Web Coal.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Gluecopy] C:\DOCUME~1\Owner\APPLIC~1\AnteBalm\anti once.exe
O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AbsoluteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ADVFN - http://www.advfn.com/cmn/stream/ducab.cab
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E917678-F730-4DA3-8E10-F3A50324F3D6}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{6E917678-F730-4DA3-8E10-F3A50324F3D6}: NameServer = 195.92.195.94 195.92.195.95

BC AdBot (Login to Remove)

 


#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 18 December 2004 - 08:35 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 18 December 2004 - 09:04 PM

brokeroad -- Thanks for sending your HijackThis log.

Your system shows a 'LOP' infection.


Since you will not be able to access this page in safe mode during this fix, please print these instructions now, or save them to your desktop, to help keep track of the steps.


To start, follow this link for instructions to enable 'show all files' for your system.


1 -- Please follow the instructions in this link below to download and run Spybot & AdAware SE: Spybot & Adaware Tutorial

Please let me know if anything can not be cleaned by these utilities.


2 -- Next, use Control Panel > Add/Remove Programs to remove any of the following malware that you find:

Window Search,
Window Searching,
Lop.com,
LOP Search,
Browser Enhancer,
Ultimate Browser Enhancer . If you are given a code to insert, do so.



3 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.dmvnnylgbkzmdv.com/M4KNEgROKTYg...dCYVCVbLAMN.jpg


O1 - Hosts: 127.0.0.0 localhost

O1 - Hosts: 127.0.0.2 auditmypc.com

O1 - Hosts: 127.0.0.3 boards.cexx.org

O1 - Hosts: 127.0.0.4 bulletproofsoft.net

O1 - Hosts: 127.0.0.5 camtech2000.net

O1 - Hosts: 127.0.0.6 cexx.org

O1 - Hosts: 127.0.0.7 computercops.us

O1 - Hosts: 127.0.0.8 ct7support.com

O1 - Hosts: 127.0.0.9 doxdesk.com

O1 - Hosts: 127.0.0.20 kellys-korner-xp.com

O1 - Hosts: 127.0.0.21 kephyr.com

O1 - Hosts: 127.0.0.24 lurkhere.com

O1 - Hosts: 127.0.0.25 majorgeeks.com

O1 - Hosts: 127.0.0.26 merijn.org

O1 - Hosts: 127.0.0.27 mjc1.com

O1 - Hosts: 127.0.0.28 moosoft.com

O1 - Hosts: 127.0.0.29 mvps.org

O1 - Hosts: 127.0.0.30 net-integration.net

O1 - Hosts: 127.0.0.31 noadware.net

O1 - Hosts: 127.0.0.32 no-spybot.com

O1 - Hosts: 127.0.0.33 onlinepcfix.com

O1 - Hosts: 127.0.0.34 pchell.com

O1 - Hosts: 127.0.0.35 pestpatrol.com

O1 - Hosts: 127.0.0.36 safer-networking.org

O1 - Hosts: 127.0.0.37 secure.spykiller.com

O1 - Hosts: 127.0.0.38 secureie.com

O1 - Hosts: 127.0.0.39 security.kolla.de

O1 - Hosts: 127.0.0.40 spybot.info

O1 - Hosts: 127.0.0.41 spychecker.com

O1 - Hosts: 127.0.0.42 spychecker.com

O1 - Hosts: 127.0.0.43 spycop.com

O1 - Hosts: 127.0.0.44 spyguard.com

O1 - Hosts: 127.0.0.45 spykiller.com

O1 - Hosts: 127.0.0.46 spyware.co.uk

O1 - Hosts: 127.0.0.47 spyware-cop.com

O1 - Hosts: 127.0.0.48 spywareinfo.com

O1 - Hosts: 127.0.0.49 spywarenuker.com

O1 - Hosts: 127.0.0.50 spywareremove.com

O1 - Hosts: 127.0.0.51 spywareremove.com

O1 - Hosts: 127.0.0.52 stopzillapro.com

O1 - Hosts: 127.0.0.53 sunbelt-software.com

O1 - Hosts: 127.0.0.54 thiefware.com

O1 - Hosts: 127.0.0.55 tomcoyote.org

O1 - Hosts: 127.0.0.56 unwantedlinks.com

O1 - Hosts: 127.0.0.57 webattack.com

O1 - Hosts: 127.0.0.58 wilders.org

O1 - Hosts: 127.0.0.59 www.auditmypc.com

O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net

O1 - Hosts: 127.0.0.61 www.cexx.org

O1 - Hosts: 127.0.0.62 www.computercops.us

O1 - Hosts: 127.0.0.63 www.ct7support.com

O1 - Hosts: 127.0.0.64 www.doxdesk.com

O1 - Hosts: 127.0.0.65 www.eblocs.com

O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com

O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com

O1 - Hosts: 127.0.0.68 www.free-web-browsers.com

O1 - Hosts: 127.0.0.69 www.grc.com

O1 - Hosts: 127.0.0.70 www.grisoft.com

O1 - Hosts: 127.0.0.71 www.hackfaq.org

O1 - Hosts: 127.0.0.72 www.hazeleger.net

O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com

O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com

O1 - Hosts: 127.0.0.75 www.kephyr.com

O1 - Hosts: 127.0.0.78 www.lurkhere.com

O1 - Hosts: 127.0.0.79 www.majorgeeks.com

O1 - Hosts: 127.0.0.80 www.merijn.org

O1 - Hosts: 127.0.0.81 www.mjc1.com

O1 - Hosts: 127.0.0.82 www.moosoft.com

O1 - Hosts: 127.0.0.83 www.mvps.org

O1 - Hosts: 127.0.0.84 www.net-integration.net

O1 - Hosts: 127.0.0.85 www.noadware.net

O1 - Hosts: 127.0.0.86 www.no-spybot.com

O1 - Hosts: 127.0.0.87 www.onlinepcfix.com

O1 - Hosts: 127.0.0.88 www.pchell.com

O1 - Hosts: 127.0.0.89 www.pestpatrol.com

O1 - Hosts: 127.0.0.90 www.safer-networking.org

O1 - Hosts: 127.0.0.91 www.secureie.com

O1 - Hosts: 127.0.0.92 www.security.kolla.de

O1 - Hosts: 127.0.0.93 www.spybot.info

O1 - Hosts: 127.0.0.94 www.spychecker.com

O1 - Hosts: 127.0.0.95 www.spychecker.com

O1 - Hosts: 127.0.0.96 www.spycop.com

O1 - Hosts: 127.0.0.97 www.spyguard.com

O1 - Hosts: 127.0.0.98 www.spykiller.com

O1 - Hosts: 127.0.0.99 www.spyware.co.uk


O4 - HKLM\..\Run: [uvyhorgz] C:\WINDOWS\uvyhorgz.exe

O4 - HKLM\..\Run: [chic dumb default 32] C:\Documents and Settings\All Users\Application Data\way wave chic
dumb\EggsDvd.exe

O4 - HKLM\..\Run: [longdriveloadwindow] C:\Documents and Settings\All Users\Application Data
\moreboltlongdrive\Web Coal.exe

O4 - HKCU\..\Run: [Gluecopy] C:\DOCUME~1\Owner\APPLIC~1\AnteBalm\anti once.exe


Did you install these poker apps yourself? If yes, then leave them alone. Otherwise, fix them now.

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker
\IEExtension.dll

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files
\partypoker\IEExtension.dll

O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files
\ladbrokesMPP\MPPoker.exe


These are optional items you may choose to fix:

Application Scheduler is installed along with RealOne Player and is running in startup, and is not needed. Once installed, it runs independently of RealOne Player and consumes resources. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself: (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK .

It's also a good idea to rename realsched.exe itself to prevent this from re-installing.

This is the item to fix in HJT:
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Office Startup Asistant is an optional item that if checked, will eliminate a known resource hog. You will still be able to start Office components from the Start menu. This is the item to fix in HJT:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.



4 -- Reboot into Safe Mode (How do I boot into "Safe" mode?), then use Windows Explorer to delete the following lists of program files and folders, if they still exist.

C:\WINDOWS\uvyhorgz.exe <-- this file

C:\Documents and Settings\All Users\Application Data\way wave chic dumb\ <-- this folder

C:\Documents and Settings\All Users\Application Data\moreboltlongdrive\ <-- this folder

C:\Documents and Settings\Owner\Application Data\AnteBalm\ <-- this folder


And, if you chose to delete these poker apps in HJT above, now delete the folders. Otherwise, leave them alone.

c:\program files\partypoker\ <-- this folder

C:\Program Files\ladbrokesMPP\ <-- this folder


Please let me know about any problems with the file/folder deletes.


5 -- Next, use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"):

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

* Empty your "Recycle Bin".

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty



6 -- Now, reboot normally and run either of these two Online virus scans: Panda Active Scan or TrendMicro Housecall and put on Auto Clean.


Now, reboot once again, and run HijackThis to create a new logfile. Repost it here, and if you had any problems with the steps outlined above, please let us know what they were. Your response and the new logfile will determine the next steps for this fix.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 brokeroad

brokeroad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 20 December 2004 - 01:25 PM

Ho Daveai, thanks for replying. Firstly before completing the actions you requested I visited the lop.com website and ran their uninstall program, which removed the toolbar and stopped the adverts. The following is the latest Hijackthis logfile:

Logfile of HijackThis v1.99.0
Scan saved at 18:20:14, on 20/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\sdwork\issimsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\OfferApp\OfferApp.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.advfn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\SysShield Tools\Internet Eraser\PKExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [OfferApp] C:\Program Files\OfferApp\OfferApp.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: AbsoluteShield Internet Eraser.lnk = C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Program Files\ladbrokesMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: AbsoluteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\aslsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: ADVFN - http://www.advfn.com/cmn/stream/ducab.cab
O16 - DPF: ADVFN 4v4 - http://www.advfn.com/p.php?pid=loadercab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\Software\..\Telephony: DomainName =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ISSI EZUpdate - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#5 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 20 December 2004 - 10:15 PM

Thanks for the update.

Here's what gave you LOP inthe first place:

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

I strongly recommend you get rid of it using 'Control Panel > Add/Remove Programs'.

Other than the items I questioned in the first fix, and the optional items, your logfile looks to be clean.

Other than Messenger Plus 3, which brings LOP with it, there is no malware evident on your system.


Also, HijackThis should be installed in its own folder (such as C:\HJT) to ensure that adequate backups are preserved. Since most malware fixes include clearing out the temp folders, you will lose the HJT backups if you continue to run from 'C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe'


Now, please allow me to suggest some prevention steps to keep your computer clean and secure going forward. You may have already taken a few of the steps, but it never hurts to take a quick look :thumbsup:

1 -- Be sure you update your anti-virus software at least once a week. There are several very good free programs available.

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

4 -- Continue to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.


5 -- I strongly recommend that you consider using a Firewall. Just by using a Firewall in its default configuration can lower your risk greatly. Check out what Lawrence Abrams has to say at Understanding and Using Firewalls

An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users