help me please (hijack included)

  1. 12-11-2005  #1
    LiLaZnGUy
    LiLaZnGUy is offline Valued Member

    help me please (hijack included)

    gah! i dont noe wats up wit my computer. its so slow. and i do these spywre checks but its still slow. please help.


    Logfile of HijackThis v1.99.1
    Scan saved at 12:51:30 PM, on 11/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\lockx.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM\aim.exe
    C:\WINDOWS\SYSTEM32\cidaemon.exe
    C:\Program Files\My Downloads\hijackthis.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1800searchonline.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.1800searchonline.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.1800searchonline.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.1800searchonline.com/sp2.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local.,
    N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Simon Chu\Application Data\Mozilla\Profiles\default\g1xt3u09.slt\prefs.j s)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\MICROS~1.NET\doceula.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [stratas] lockx.exe
    O4 - HKLM\..\Run: [System service78] C:\WINDOWS\etb\pokapoka78.exe
    O4 - HKLM\..\RunServices: [stratas] lockx.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr. exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [stratas] lockx.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Lookup on CD - c:\AHD4withThesaurus\ahd.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: Lookup on CD - {CB9CDC2D-0AB4-4031-A1F7-E9B4070CE521} - c:\AHD4withThesaurus\ahd.htm (HKCU)
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://miniclips.com/platypus/miniclipGameLoader.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124608418656
    O20 - Winlogon Notify: doceula - C:\WINDOWS\MICROS~1.NET\doceula.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

  3. 14-11-2005  #2
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Welcome to DAL,

    Go into add/remove program and remove if found

    180 search assistant/180 solutions

    Reboot if anything was removed.

    Download LQfix.exe and place it on your desktop.
    Doubleclick LQfix.exe and click install.
    Leave the default settings. If you change them, the fix will fail.
    Make sure 'Launch LQfix' is checked. After clicking finish in the install, the fix will start.
    Follow the prompts on the screen.
    Your system will reboot afterwards.
    Please be patient after reboot, because there is a script running in the background.


    Please print these instructions out for use in Safe Mode.

    Please download VundoFix© to your desktop.[list][*]Double-click VundoFix.exe to extract the files.
    [*]This will create a VundoFix© folder on your desktop.
    [*]After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    [*]Once in safe mode open the VundoFix© folder and doubleclick on KillVundo.bat
    [*]You will first be presented with a warning.
    It should look like this
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....
    [*] At this point press enter one time.
    [*] Next you will see:
    Please Type in the filepath as instructed by the forum staff
    and then press enter:
    [*]At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\MICROS~1.NET\doceula.dll
    [*]Press Enter to continue with the fix.[*] Next you will see:
    Please type in the second filepath as instructed by the forum
    staff then press enter:
    [*]At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\MICROS~1.NET\aluecod.*
    [*]Press Enter to continue with the fix.[*]The fix will run then HijackThis will open, if it does not open automatically please open it manually.[*]In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1800searchonline.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.1800searchonline.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.1800searchonline.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.1800searchonline.com/sp2.php

    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\MICROS~1.NET\doceula.dll

    O4 - HKLM\..\Run: [stratas] lockx.exe
    O4 - HKLM\..\Run: [System service78] C:\WINDOWS\etb\pokapoka78.exe
    O4 - HKLM\..\RunServices: [stratas] lockx.exe
    O4 - HKCU\..\Run: [stratas] lockx.exe

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    O20 - Winlogon Notify: doceula - C:\WINDOWS\MICROS~1.NET\doceula.dll

    Make sure all programs are closed out nothing should be open but hijackthis, click Fix checked

    Close out of hijackthis

    Hunt for and delete these if found:

    lockx.exe < file
    msdirectx.sys < file
    xz.bat     < file
    C:\WINDOWS\etb < folder

    Also look for these in this folder: Microsoft.NET/delete if found

    C:\WINDOWS\Microsoft.NET\aluecod.bak1
    C:\WINDOWS\Microsoft.NET\aluecod.bak2
    C:\WINDOWS\Microsoft.NET\aluecod.ini
    C:\WINDOWS\Microsoft.NET\aluecod.ini2
    C:\WINDOWS\Microsoft.NET\aluecod.tmp
    C:\WINDOWS\Microsoft.NET\aluecod.tmp1
    C:\WINDOWS\Microsoft.NET\aluecod.tmp2



    Reboot back to normal mode


    Then, please run this online virus scan: ActiveScan

    Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
    Last edited by Neal; 15-11-2005 at 08:53 PM.
+ Reply to Thread
« Another Hijack this log | Trojan problem! »