Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log- espnking2002


  • Please log in to reply
9 replies to this topic

#1 espnking2002

espnking2002

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 19 December 2004 - 11:21 PM

Hi,

I'm having probems using my AIM because of the HSA, Shopping Wizard, and Search Extender. I've downloaded your program and I want to know what to remove. This is my log:


Logfile of HijackThis v1.98.2
Scan saved at 11:16:10 PM, on 12/19/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\appkp32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ntfo.exe
C:\valve\steam\steam.exe
C:\Documents and Settings\Owner\Application Data\ttuh.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\system32\??rss.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\LimeWire\LimeWire 4.2.4\LimeWire.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\LimeWire\LimeWire 4.2.4\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hhoih.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hhoih.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hhoih.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hhoih.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hhoih.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hhoih.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hhoih.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/save_your_settings
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E2E42714-26F5-36BD-8037-519CCFD1DBEE} - C:\WINDOWS\system32\d3ak32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [tqdcxxxdzbugm] C:\WINDOWS\System32\alnycef.exe
O4 - HKLM\..\Run: [cryp32.exe] C:\WINDOWS\system32\cryp32.exe
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [w3rS37T] qapclass.exe
O4 - HKLM\..\Run: [ntte.exe] C:\WINDOWS\system32\ntte.exe
O4 - HKLM\..\Run: [crhy.exe] C:\WINDOWS\system32\crhy.exe
O4 - HKLM\..\Run: [ntfo.exe] C:\WINDOWS\system32\ntfo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [h002RXfFV] rdsdmgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [Cxhcjfos] C:\WINDOWS\system32\??rss.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - Global Startup: LimeWire 4.2.4.lnk = C:\Program Files\LimeWire\LimeWire 4.2.4\LimeWire.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} - http://webpdp.gator.com/4/download/hdplugi...ndle33v2d33.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab



Thank you.

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 21 December 2004 - 04:37 AM

Hi

Unistall from Add\Remove Programs"
TSA
Virtual Bouncer


To remove ISTBar & Components use please this Symantec Tool: http://sarc.com/avcenter/venc/data/adware.istbar.html
Follow Symatec's instructions for how to run it.



Please Download LSPFix from: LSP-Fix

Disconnect from the Internet and close all Internet Explorer windows. Run then program, check the "I know what I'm doing" button and place all listings of

calsp.dll

into the remove section by clicking on the button that points to the right. Do not remove any others. When all instances of this dll are in the Remove section. Press the Finish button.

Reboot your computer.

To see a tutorial on how to use this program click the link below:
Using LSP-Fix to remove LSP Spyware & Hijackers



Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [w3rS37T] qapclass.exe
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Owner\Application Data\ttuh.exe
O4 - HKCU\..\Run: [h002RXfFV] rdsdmgr.exe
O4 - HKCU\..\Run: [Cxhcjfos] C:\WINDOWS\system32\??rss.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {886DDE35-E955-11D0-A707-000000521958} - http://69.56.176.78/webplugin.cab
O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} - http://webpdp.gator.com/4/download/hdplugi...ndle33v2d33.cab


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
qapclass.exe <-- this file
C:\Documents and Settings\Owner\Application Data\ttuh.exe <-- this file

Delete these folders:
C:\Program files\VBouncer\ <-- this folder
C:\Program files\Common files\tsa\ <-- this folder

With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Run HijackThis! again and post a new log please.
Download the latest version of HijackThis!: Download here HJT 1.99. Save it on your Desktop. You will need now to unzip hijackthis.exe to a permanent folder, such as c:\hjt . This has to be done as HijackThis creates backups. You may need to use these backups.

First create a new folder:
A. Click My Computer icon on your desktop
B. Click C: drive
C. Click the File menu --> New --> Folder, a folder "New folder" will be created.
D. Rename it HJT

Unzip hijackthis.exe to the c:\HJT folder.

Run HijackThis.exe Press the Scan button, then Save Log.
Notepad will open.

In Notepad click
Edit menu --> Select All
then
Edit menu --> Copy

When responding to a post from one of our HJT Team members, please reply in the same topic - click the Add Reply button. Do not create a new topic for your reply. This will cause confusion and only cause a delay in the help you are receiving.

Right click in the message area and click on the paste option to paste the log into the post.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 espnking2002

espnking2002
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 21 December 2004 - 09:49 AM

For some reason I could not download the security suite. Everytime I did a message popped up saying that the folder was compressed and I couldn't od anything about it. Do you know what I should do here?

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 21 December 2004 - 01:20 PM

Security Suite is not an essential tool. Please follow the other steps.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 espnking2002

espnking2002
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 21 December 2004 - 06:10 PM

I've done everything you've told me to do besides delete antthing with the security suite. Here is my log:



Logfile of HijackThis v1.97.7
Scan saved at 6:08:54 PM, on 12/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\appkp32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ntte.exe
C:\Program Files\Messenger\msmsgs.exe
C:\valve\steam\steam.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\system32\winupdt.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqhim.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqhim.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqhim.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dqhim.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dqhim.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dqhim.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dqhim.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = https://activate.verizon.net/launch/res1/save_your_settings
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8A8F47B1-61ED-1CBB-2DB3-D81BFA6E22BF} - C:\WINDOWS\iebv32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [tqdcxxxdzbugm] C:\WINDOWS\System32\alnycef.exe
O4 - HKLM\..\Run: [cryp32.exe] C:\WINDOWS\system32\cryp32.exe
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKLM\..\Run: [ntte.exe] C:\WINDOWS\system32\ntte.exe
O4 - HKLM\..\Run: [crhy.exe] C:\WINDOWS\system32\crhy.exe
O4 - HKLM\..\Run: [ntfo.exe] C:\WINDOWS\system32\ntfo.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdtl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LimeWire 4.2.4.lnk = C:\Program Files\LimeWire\LimeWire 4.2.4\LimeWire.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 22 December 2004 - 04:57 AM

I've done everything you've told me to do besides delete antthing with the security suite

:thumbsup:

This is very important:
Read my above message and download please the LATEST version of hijackthis.

REBOOT your computer, run hijackthis.exe and post a new log.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 espnking2002

espnking2002
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 25 December 2004 - 03:17 PM

I've lloked everywhere and I can't find an uncompressed version of HJT. Do you know a link to get one? Thanks.

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 25 December 2004 - 04:48 PM

Do you know how to download a file ? Right click on the link --> Save Target As
Here is the link: http://www.bleepingcomputer.com/files/Merijn/HijackThis.zip

Save the file on your desktop and follow my above instructions to put it in a permanent folder..

I can't find an uncompressed version of HJT

You will not find one. HijackThis is zipped.


Download CWShredder from here - follow this link.
After you download the program, unzip it into a directory.

REBOOT into SafeMode: Starting your computer in Safe mode, use the F8 method

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

REBOOT your computer and post a new hijackthis log.

Edited by cryo, 25 December 2004 - 04:49 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 espnking2002

espnking2002
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:09:36 PM

Posted 27 December 2004 - 09:48 PM

Sorry for the trouble. Here's my log:



ogfile of HijackThis v1.99.0
Scan saved at 9:47:48 PM, on 12/27/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\appkp32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ntfo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\valve\steam\steam.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\LimeWire\LimeWire 4.2.4\LimeWire.exe
C:\WINDOWS\system32\winupdt.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://activate.verizon.net/launch/res1/save_your_settings
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {986D20FC-69A6-1699-0255-1F512E089753} - C:\WINDOWS\netxs.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [tqdcxxxdzbugm] C:\WINDOWS\System32\alnycef.exe
O4 - HKLM\..\Run: [cryp32.exe] C:\WINDOWS\system32\cryp32.exe
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKLM\..\Run: [ntte.exe] C:\WINDOWS\system32\ntte.exe
O4 - HKLM\..\Run: [crhy.exe] C:\WINDOWS\system32\crhy.exe
O4 - HKLM\..\Run: [ntfo.exe] C:\WINDOWS\system32\ntfo.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdtl.exe
O4 - HKLM\..\RunOnce: [WildTangent CDA Uninstall0] C:\WINDOWS\system32\cmd.exe /c del /f C:\PROGRA~1\WILDTA~1\Apps\CDA\CDAENG~1.DLL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: LimeWire 4.2.4.lnk = C:\Program Files\LimeWire\LimeWire 4.2.4\LimeWire.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\appkp32.exe

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:36 PM

Posted 28 December 2004 - 11:10 AM

Hi :thumbsup:

You have Wild Tangent installed. Wild Tangent collects information about you and your usage. The advertisements may also contain pornographic or other material that you might find inappropriate. You can follow these instructions to uninstall it: No. 8 - Uninstallation .

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Download Ad-aware SE 1.05: here
Install it. When you get the last screen, with the "Finish" button and 3 options, uncheck those three items.
Open AdAware and click the "Check for updates now" link. Close AdAware. Don't use it yet.

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tsiec.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {986D20FC-69A6-1699-0255-1F512E089753} - C:\WINDOWS\netxs.dll

O4 - HKLM\..\Run: [tqdcxxxdzbugm] C:\WINDOWS\System32\alnycef.exe
O4 - HKLM\..\Run: [cryp32.exe] C:\WINDOWS\system32\cryp32.exe
O4 - HKLM\..\Run: [Create A Monster] "C:\Program Files\Kudd.com\createAMonster.exe" -run
O4 - HKLM\..\Run: [ntte.exe] C:\WINDOWS\system32\ntte.exe
O4 - HKLM\..\Run: [crhy.exe] C:\WINDOWS\system32\crhy.exe
O4 - HKLM\..\Run: [ntfo.exe] C:\WINDOWS\system32\ntfo.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdtl.exe

O15 - Trusted IP range: (HKLM)

O23 - Service: Network Security Service - Unknown - C:\WINDOWS\appkp32.exe


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINDOWS\tsiec.dll <-- this file
C:\WINDOWS\netxs.dll <-- this file
C:\WINDOWS\appkp32.exe <-- this file
C:\WINDOWS\System32\alnycef.exe <-- this file
C:\WINDOWS\system32\cryp32.exe <-- this file
C:\WINDOWS\system32\ntte.exe <-- this file
C:\WINDOWS\system32\crhy.exe <-- this file
C:\WINDOWS\system32\ntfo.exe <-- this file
C:\WINDOWS\system32\winupdtl.exe <-- this file

Delete these folders:
C:\Program Files\Kudd.com\ <-- this folder

Make sure all browser windows are closed and run cwshredder.exe to start the program and click on the FIX button (not the "Scan only" button) and let it scan your computer.

Run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.


With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Perform a full scan here: Trendmicro, check AutoClean and let him remove anything he finds.

Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.


Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users