Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacker Problem


  • Please log in to reply
7 replies to this topic

#1 rita

rita

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 09 January 2005 - 01:13 AM

Internet, outlook exp and bank login not working

Attached Files



BC AdBot (Login to Remove)

 


#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:08:43 AM

Posted 09 January 2005 - 09:09 AM

Hello rita,

I'll be looking after your log review but before we can do that I need you to do a few things first:
  • You are using an outdated version of hijackthis. Please download the newer version.
    Download HijackThis from: HijackThis Download Site

  • You are running HijackThis from a temporary folder. When run from a temporary folder, the backups HijackThis makes may accidentally get deleted, so please put HijackThis into a permanent folder. Full instructions on how to do this
    can be found here:Detailed Explanation
    Brief instructions to create a permanent folder are:
    • Click My Computer, then C:\
    • In the menu bar, File->New->Folder.
    • That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
    • Now you have C:\HJT\ folder.
    • Unzip your new HijackThis.exe into the C:\HJT folder.
  • Run your new version of HijackThis and copy/paste a new log here using the Add Reply button. Please do not attach the HJT file to your post.

Edited by penmore, 09 January 2005 - 09:11 AM.


#3 rita

rita
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 10 January 2005 - 06:03 AM

To HJT Professional:

I have previously sent you this same file in a temporary file on 9/1/05 and you told me that I had run the 198 version and to update the new one but it keeps crashing on me. So I have run the 198 version again and saved it in a permanent file like you said. But I can't use the reply button that you said to use "it keeps saying this program is disabled. So I don't know what to do? Howdo I know who to trust when a message is being sent back to me?

Is it not safe to send my scanned file on my post?

#4 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:08:43 AM

Posted 10 January 2005 - 02:50 PM

Hi rita,

Sorry if I didn't explain myself fully and that the new version of HijackThis is giving problems. I will need you to copy and paste information as we go through the fixes so if you can follow the instructions below and try to post an up-to-date log in this thread, we can start on fixing up your machine:
  • Open your Internet browser and come to this thread.
  • Scroll to the bottom of the thread and then minimize your browser.

  • Run HijackThis, click on the Scan button and then click on the Save log button.
  • Save the log file into the folder where you have the HijackThis.exe file, let it overwrite the existing file if it asks.
  • You should now have Notepad open with the contents of the HijackThis log.
  • If you right click on the Notepad contents you should be able to choose Select All from the popup menu.
  • Right click again and choose Copy from the popup menu.

  • Maximize your browser window so you can see the thread.
  • Near the very bottom of the screen there is a blue Add Reply button, Click on that.
  • Right click on the reply window and choose Paste from the dropdown menu.
  • Your log should then appear in the reply window.
  • You can then click on the white Add Reply button to post the log.

  • If you want to send additional information you can type that before or after you have pasted the log file contents.
Peter

#5 rita

rita
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 10 January 2005 - 05:55 PM

Logfile of HijackThis v1.98.2
Scan saved at 9:51:03 AM, on 11/01/2005
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Documents and Settings\Tuna\My Documents\Tayla's thingz\suff\MsgPlus.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\SpyBlocsv3.0\SpyBlocs3.0.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ad-Free\AdFree.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\Toolbar\PIB.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\bsplmf01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tuna\My Documents\hijack198MGextract\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.giblutfpuxclqrgoadgnnmtri.com/Z...jYUG1bkuIgd.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdyhtoqlrcnzbpvqukuaok.net/Zt5C...RymVdoFGbY.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {662CE865-1E3C-A5CF-7025-9F82D7B46B48} - C:\DOCUME~1\Tuna\APPLIC~1\DEADCOMP\Chic bold.exe
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Tuna\My Documents\Tayla's thingz\suff\MsgPlus.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Tickmemoregscopy] C:\Documents and Settings\All Users\Application Data\SurfPollTickMemo\Program nurb.exe
O4 - HKLM\..\Run: [SpyBlocs3.0] C:\Program Files\SpyBlocsv3.0\SpyBlocs3.0.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NNADFREE] "C:\Program Files\Ad-Free\AdFree.exe"
O4 - HKCU\..\Run: [holewin] C:\DOCUME~1\Tuna\APPLIC~1\PLUSSP~1\holdmixone.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'nnsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

ASAP I've spent 7 complete days trying to get back my life!!!
Thanks, rita

#6 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:08:43 AM

Posted 11 January 2005 - 10:06 AM

Hi rita,

There are a number of steps you need to take in order to clean your machine. Please carry out the steps in the order they are given. You may find it helpful to print these instructions out as you will not have access to the Internet whilst you are running in Safe mode.

Please read through all of the steps first to ensure you understand what I'm asking you to do. If you have any questions, please ask before you start the fixes.
  • You have Messenger Plus installed on your computer. This software is known to install spyware when you install it and is probably where your current infections came from. I would suggest that you remove it. If you would like to remove it, go into the Control Panel and Then Add/Remove programs and remove Messenger Plus

  • You also have SpyBlocs3.0 installed on your system. This is on the rogue spyware list and is not recommended. I will supply alternative free programs to replace this. Suggest you remove it through your Add/Remove program facility. I will mark the log entry for removal.

  • Download System Security Suite here:
    System Security Suite Download & Tutorial. Unzip it to your desktop.
    Install the program. Don't use it yet.

  • Download Ad-Aware from the following link Ad-Aware SE Personal 1.05 Install the software and from the opening page click on the Check for update now link. Install any updates that are available the close Ad-Aware. Dont run it yet, we will do that later.

  • Download AD-Aware VX2 Cleaner add on from here VX2 Cleaner add on Follow the instructions on the downlaod link for installing the VX2 Cleaner plugin. Don't run it yet - we will do that later.

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

  • Restart you machine in Safe Mode:
    • Reboot your computer
    • As the machine starts, continually tap the F8 key
    • You will then be presented with a menu screen
    • Use the the up/down arrow keys to select Safe Mode
    • Presss the Enter key to boot in that mode.
  • Run HijackThis
    Click on the Scan button and when complete
    Put a check beside all of the items listed below
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.giblutfpuxclqrgoadgnnmtri.com/Z...jYUG1bkuIgd.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdyhtoqlrcnzbpvqukuaok.net/Zt5C...RymVdoFGbY.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {662CE865-1E3C-A5CF-7025-9F82D7B46B48} - C:\DOCUME~1\Tuna\APPLIC~1\DEADCOMP\Chic bold.exe
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\Tuna\My Documents\Tayla's thingz\suff\MsgPlus.exe"
    Assuming that you removed the program through Add/Remove.
    O4 - HKLM\..\Run: [Tickmemoregscopy] C:\Documents and Settings\All Users\Application Data\SurfPollTickMemo\Program nurb.exe
    Remove if you don't recognize this program.
    O4 - HKLM\..\Run: [SpyBlocs3.0] C:\Program Files\SpyBlocsv3.0\SpyBlocs3.0.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKCU\..\Run: [holewin] C:\DOCUME~1\Tuna\APPLIC~1\PLUSSP~1\holdmixone.exe
    Remove if you don't remember installing this.
    O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

    Close all open Explorer windows and browsers
    Click on the "Fix Checked" button
    When complete and all files removed, close the application

  • Please delete the following files or folders (delete item in bold). Please do not be concerned if
    any of the items are not found as they may have been automatically removed by actions I had
    you take earlier in the cleaning process.C:\PROGRAM FILES\Toolbar >>> Folder
    C:\DOCUME~1\Tuna\APPLICATION DATA\DEADCOMP\Chic bold.exe >>> file
    C:\Documents and Settings\Tuna\My Documents\Tayla's thingz\suff\MsgPlus.exe >>> file, assuming that it was removed ealier
    C:\Documents and Settings\All Users\Application Data\SurfPollTickMemo >>> Folder if you removed the O4 file
    C:\Program Files\SpyBlocsv3.0 >>> Folder
    C:\DOCUME~1\Tuna\APPLIC~1\PLUSSP~1\holdmixone.exe >>> File
  • Double click on the Ad-Aware icon to get the Ad-Aware start window.
    • Click on the Add-ons button on the left and click the Tools tab
    • You should find the VX2 plugin that you have installed earlier. Click on it to select
    • Click the Run Tool button to run then OK to execute the tool
    • Let me know what it finds when you post your new log.
  • Run Ad-Aware, Click on the Start button, check the Perform full system scan radio button, Click on the Next button to start the scan. When the scan has finished it will list any infections that it finds. Right click on the screen and select all items, click next to remove the infected entries. Full instructions for configuring and running Ad-Aware can be found here

  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine in normal mode, run HijackThis and post a new log here using the Add Reply button. Please include information about the VX2 plugin run and how your machine is performing now.

Edited by penmore, 11 January 2005 - 10:09 AM.


#7 rita

rita
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 11 January 2005 - 08:08 PM

Penmore:

I ran the programs like you said. Many of the items you requested me to fis or delete were already gone. Since I sent you the last log file I had deleted a lot of obvious files that I heard are suspected of causing problems (eg. morpheus, Kazza etc.) so this may have got rid of the file you mentioned.

The same applied to some of the files you told me to check off in hijackthis. It looks like some of them did not get deleted to me. But you can let me know what to do next when you analyze the log.

The VX2 plug came back system clean.

Also I downloaded a new version of Java and after this I can now access my Outlook Express e-mails which now (never used to do this the last time this was working 2 weeks ago) come with attachments (an AVG verification that it does not contain a virus and a Microsoft Word Attachment and a Notepad Attachment which enable me to read my files no problem.

Thanks, rita




Logfile of HijackThis v1.98.2
Scan saved at 11:53:17 AM, on 12/01/2005
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ad-Free\AdFree.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tuna\My Documents\hijack198MGextract\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ddxglwnbnzymk.com/Zt5CSqZ_YA3jGLagg...YUG1bkuIgd.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdyhtoqlrcnzbpvqukuaok.net/Zt5C...RymVdoFGbY.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NNADFREE] "C:\Program Files\Ad-Free\AdFree.exe"
O4 - HKCU\..\Run: [holewin] C:\DOCUME~1\Tuna\APPLIC~1\PLUSSP~1\holdmixone.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'nnsp.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/

#8 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:08:43 AM

Posted 13 January 2005 - 05:43 AM

Hi rita,

I'm sorry about the delay in getting back to you but we have had severe gales where I live and I've been without power since 7am my time yesterday. You have a Lop infection and most times these take a number of passes to get all the files removed.

Your log may suggest that you are running two antivirus programs and when you do this they can cause conflict between the two. If you are running two then can you just disable one of them. As you have seen, AVG checks emails and you don't need more than one program checking emails. Likewise, SP2 has a popup blocker and you appear to have AdFree popup blocker running, which may be causing a conflict. Web based applications quite often use popup windows as part of their functionality and this may be why you were having problems with some of your web based applications.

Lets now try and get rid of those stubborn entries:
  • Restart you machine in Safe Mode:
    • Reboot your computer
    • As the machine starts, continually tap the F8 key
    • You will then be presented with a menu screen
    • Use the the up/down arrow keys to select Safe Mode
    • Press the Enter key to boot in that mode.
  • Run HijackThis
    Click on the Scan button and when complete
    Put a check beside all of the items listed below
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ddxglwnbnzymk.com/Zt5CSqZ_YA3jGLagg...YUG1bkuIgd.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bdyhtoqlrcnzbpvqukuaok.net/Zt5C...RymVdoFGbY.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O4 - HKCU\..\Run: [holewin] C:\DOCUME~1\Tuna\APPLIC~1\PLUSSP~1\holdmixone.exe


    Close all open Explorer windows and browsers
    Click on the "Fix Checked" button
    When complete and all files removed, close the application

  • Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
    How to see hidden files in Windows

    Please delete the following files or folders (delete item in bold). Please do not be concerned if
    any of the items are not found as they may have been automatically removed by actions I had
    you take earlier in the cleaning process.C:\DOCUME~1\Tuna\APPLIC~1\PLUSSP~1\holdmixone.exe >>> File
  • Close all windows and browsers that are open.
    Clean out Temporary Folders and Temporary Internet Files as follows:
    • Open System Security Suite that I had you download earlier.
    • In the Items to Clear tab check:
      - Internet Explorer (left pane): Cookies & Temporary files
      - My Computer (right pane): Temporary files & Recycle Bin
    Click the Clear Selected Items button.
    Close the program.

  • Reboot your machine in normal mode and then please try downloading and installing the newer version.
    Download HijackThis from: HijackThis Download Site

  • Run HijackThis (new version if possible) and post a new log here using the Add Reply button. Can you also let me know about the anti virus, popups and how your machine is running and whether you can now get logged onto your bank.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users