Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help


  • This topic is locked This topic is locked
13 replies to this topic

#1 jetusus

jetusus

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 05 January 2005 - 06:13 PM

If anyone could help it would be greatful, I'm not an expert at this sort of stuff, I've follwed along with some stuff that i've read so far and did a scan with HJT, and this is what i got. I know for sure that this trusted site keeps comming back every time trash it. :thumbsup:



Logfile of HijackThis v1.99.0
Scan saved at 6:00:26 PM, on 1/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\openconf.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\unlodctl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\system32\unlodctl.exe
C:\WINDOWS\system32\nlsfuncs.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {BFE20FF5-C229-8902-4AEC-77C4956C3DBE} - prcmon.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lpt] sysmon12.exe
O4 - HKLM\..\Run: [321102] cnftips.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [AppMasterCenter] MNTP.exe
O4 - HKCU\..\Run: [killall] br0ken.exe
O4 - HKCU\..\Run: [backorif] forces_elite.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Kevin Stuff\Kevin's Course,Corespondence\PWS\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE
O4 - Global Startup: Microsoft.hta
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B443DC76-F3B5-4CFF-8C89-7BD08160D5E3}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS3\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:38 PM

Posted 06 January 2005 - 07:50 AM

Download remv3.zip from here (last post, you will see the attached file - Attached File(s) Attached File remv3.zip ( 9.46k ) Number of downloads: ):

http://forums.skads.org/index.php?showtopic=80

and save it on your desktop. Then extract the zip file to c:\ms4hd.

Boot your computer into Safe Mode. Instructions on how to do this can be found here:

How to boot Windows into Safe Mode

Navigate to c:\ms4hd and double-click on the remv3.bat file. When it is done it will open a log file of what it found. This log file is saved in c:\log.txt.

Reboot your computer back to normal mode and post the contents of c:\log.txt. To open it, click on start, then run, and type notepad c:\log.txt and press the OK button.

A notepad will open up. Please create a reply to this message and post the contents of that notepad along with a new hijackthis log.

Edited by cryo, 06 January 2005 - 07:51 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 06 January 2005 - 10:11 PM

I did exactly what you had asked, here it is. First I ran the bat file

I noticed that i got an error ( missing mqappsrvc32.exe)
message while XP was loading up. Also getting "The pagecannot dispaly" while going from web page to web pag. I have notice not even one nasty Pop up, I think its fixed , I'm keeping my fingers cross, not 100% sure if its fix . I also notice that ther is no more http://*.63.219.181.7 in the trusted zone.

I do really thank you for the helping me with this



Files Found.................
----------------------------------------
unlodctl.exe
spnping.exe
qappsrvc32.exe
pentxpl.exe
openconf.exe
nlsfuncs.exe
dx9vbc.dll
dnsauth.dll
taskopen.exe
iecust.exe

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
hdji.dll
msi.dll
mswx.dll
msvw.dll
Finished






Here is HJT log


Logfile of HijackThis v1.99.0
Scan saved at 8:19:24 PM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {BFE20FF5-C229-8902-4AEC-77C4956C3DBE} - prcmon.dll (file missing)
O2 - BHO: (no name) - {E1400895-9475-4968-9388-EAFE015F340E} - C:\WINDOWS\system32\mswx.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O4 - HKLM\..\Run: [lpt] sysmon12.exe
O4 - HKLM\..\Run: [321102] cnftips.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AppMasterCenter] MNTP.exe
O4 - HKCU\..\Run: [killall] br0ken.exe
O4 - HKCU\..\Run: [backorif] forces_elite.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Kevin Stuff\Kevin's Course,Corespondence\PWS\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE
O4 - Global Startup: Microsoft.hta
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B443DC76-F3B5-4CFF-8C89-7BD08160D5E3}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS3\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Edited by jetusus, 06 January 2005 - 10:17 PM.


#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:38 PM

Posted 07 January 2005 - 05:28 AM

Hi :thumbsup:

Download System Security Suite here:
System Security Suite Download & Tutorial. Unzip it to your desktop.
Install the program. Don't use it yet.

Please print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R3 - URLSearchHook: (no name) - {BFE20FF5-C229-8902-4AEC-77C4956C3DBE} - prcmon.dll (file missing)

O2 - BHO: (no name) - {E1400895-9475-4968-9388-EAFE015F340E} - C:\WINDOWS\system32\mswx.dll

O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O4 - HKLM\..\Run: [lpt] sysmon12.exe
O4 - HKLM\..\Run: [321102] cnftips.exe
O4 - HKCU\..\Run: [AppMasterCenter] MNTP.exe
O4 - HKCU\..\Run: [killall] br0ken.exe
O4 - HKCU\..\Run: [backorif] forces_elite.exe
O4 - Global Startup: Microsoft.hta

Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if present:
prcmon.dll <-- this file
C:\WINDOWS\system32\mswx.dll <-- this file
taskopen.exe <-- this file
sysmon12.exe <-- this file
cnftips.exe <-- this file
MNTP.exe <-- this file
br0ken.exe <-- this file
forces_elite.exe <-- this file
Microsoft.hta <-- this file
hdji.dll <-- this file
msvw.dll <-- this file


With all windows and browsers closed.
Clean out temporary and Temporary Internet Files.
A. Open System Security Suite.
B. In the Items to Clear tab thick:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
Press the Clear Selected Items button.
Close the program.

REBOOT normally.

Perform al least two online scans.

Perform a full scan here: Trendmicro, check AutoClean and let him remove anything he finds.

Perform a full scan here: Panda Online, follow the instructions on the screed, make sure these are checked:
- Disinfect automatically
- Scan compressed files
- Scan e-mail files
- Neutralize Trojans
and let him remove anything he finds.

Perform a full scan here: BitDefender Free Online Virus Scan
Follow the instructions on the screen.
Tick all the boxes on the left and let him remove anything it findes.

Run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 08 January 2005 - 08:29 PM

Well here it is. I've done exactly what you've said.





Logfile of HijackThis v1.99.0
Scan saved at 8:05:55 PM, on 1/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Kevin Stuff\Kevin's Course,Corespondence\PWS\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B443DC76-F3B5-4CFF-8C89-7BD08160D5E3}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS3\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#6 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:38 PM

Posted 08 January 2005 - 09:11 PM

Run HijackThis!, press Scan, and put a check mark next to all these:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CCS\Services\Tcpip\..\{B443DC76-F3B5-4CFF-8C89-7BD08160D5E3}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS2\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244
O17 - HKLM\System\CS3\Services\Tcpip\..\{B2B2748A-05CF-4E52-911A-D4F263FEF992}: NameServer = 69.50.166.94,69.31.80.244


Close all other windows and browsers, and press the Fix Checked button.

REBOOT your macine, run HijackThis! again and post a new log please.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#7 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 09 January 2005 - 10:01 PM

I've performed the scan with Hj and deleted exactly what you had requested. And here is the latest scan after rebooting. I have to really thank you,as there has been no more nasties.





Logfile of HijackThis v1.99.0
Scan saved at 9:56:25 PM, on 1/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Kevin Stuff\Kevin's Course,Corespondence\PWS\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = D:\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Get It With Kontiki - res://C:\Program Files\Kontiki\bin\bh309190.dll/201
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#8 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:38 PM

Posted 10 January 2005 - 04:52 AM

Log looks clean...great job ! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

How did I get infected ? With steps so it does not happen again !

Glad I was able to help.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#9 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 10 January 2005 - 07:24 PM

:thumbsup:



Thanks alot, truly do thank you. i shall read how to stay clean link.

#10 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:38 PM

Posted 11 January 2005 - 08:02 AM

You're Welcome ! Happy surfing :thumbsup:
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#11 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 15 January 2005 - 02:38 PM

Thank you and like wise, Just one more thing, I have notice after experincing this problem. while know surfing from web site to web site, a lot of the web site that I went to before having this problem is now showing partial display of the web page and the the rest would indicate:



"The page cannot be displayed
The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings.

Please try the following:

Click the Refresh button, or try again later.

If you typed the page address in the Address bar, make sure that it is spelled correctly.

To check your connection settings, click the Tools menu, and then click Internet Options. On the Connections tab, click Settings. The settings should match those provided by your local area network (LAN) administrator or Internet service provider (ISP).
See if your Internet connection settings are being detected. You can set Microsoft Windows to examine your network and automatically discover network connection settings (if your network administrator has enabled this setting).
Click the Tools menu, and then click Internet Options.
On the Connections tab, click LAN Settings.
Select Automatically detect settings, and then click OK.
Some sites require 128-bit connection security. Click the Help menu and then click About Internet Explorer to determine what strength security you have installed.
If you are trying to reach a secure site, make sure your Security settings can support it. Click the Tools menu, and then click Internet Options. On the Advanced tab, scroll to the Security section and check settings for SSL 2.0, SSL 3.0, TLS 1.0, PCT 1.0.
Click the Back button to try another link.



Cannot find server or DNS Error
Internet Explorer




any suggestions

#12 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:38 PM

Posted 15 January 2005 - 03:49 PM

Please give me some examples. What pages ?
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#13 jetusus

jetusus
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:38 PM

Posted 17 January 2005 - 06:02 PM

Like www.msn.com, just on the top right hand side of the page is incompleated.

Just under the links My MSN Hotmail Messenger PC Search


It just says click here and direstly below that it says "The page cannot be displayed"

#14 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:03:38 PM

Posted 17 January 2005 - 06:19 PM

Use this tutorial to reset your browser setitings:
http://www.yahoo-help.com/cannotviewprofiles.html


Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Edited by Daisuke, 13 February 2005 - 03:39 AM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users