Agh!

  1. 01-01-2006  #1
    fatkitty420
    fatkitty420 is offline Full Member

    Agh!

    OK, I've run Ad-aware and Spybot. My homepage has been changed and i know have 2 new pop-up/virus detectors that want me to pay them to remove them. this is driveing me insane. Not to mention i get some horrible pop-ups know. Here's my Hijack This log.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:00:26 PM, on 1/1/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\mssearchnet.exe
    C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\MESSEN~1\Msmsgs.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\appor.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    C:\WINDOWS\system32\netee32.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lfbtz.dll/sp.html#10001%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lfbtz.dll/sp.html#10001%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lfbtz.dll/sp.html#10001%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lfbtz.dll/sp.html#10001%resultposition.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lfbtz.dll/sp.html#10001%resultposition.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lfbtz.dll/sp.html#10001%resultposition.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lfbtz.dll/sp.html#10001%resultposition.net
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {11385C18-9788-41BB-1120-99D508537CF7} - C:\WINDOWS\system32\crty32.dll
    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hpFDD0.tmp
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [netee32.exe] C:\WINDOWS\system32\netee32.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{242B01D7-88F1-4CD8-A69E-D28FE1E1313D}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44959949-A62E-491C-87F2-7164AD212B4A}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E178BA7D-D117-4D53-8452-A6F66E9EF526}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CS1\Services\Tcpip\..\{242B01D7-88F1-4CD8-A69E-D28FE1E1313D}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CS2\Services\Tcpip\..\{242B01D7-88F1-4CD8-A69E-D28FE1E1313D}: NameServer = 85.255.116.123,85.255.112.181
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appor.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

  3. 02-01-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Please read these instructions carefully and print them out (or copy to a file on your DESKTOP)! Be sure to follow ALL instructions!


    Download and run the freeware system optimization and privacy tool:
    CCleaner (Crap Cleaner)
    http://www.ccleaner.com/ccdownload.asp

    It removes unnecessary junk from your computer allowing it to run more efficiently and securely.

    You may get more optimal cleaning if you run it in SAFEMODE – while rebooting and at the beep keep tapping the F8 key.

    Once installed, you will notice an Online Help link at the bottom left. Updates checking link is provided at the bottom right. When first run in its DEFAULT opening setup – Cleaner button (Windows TAB is selected) , click the ‘Analyse’ button. Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.



    Download smitRem.exe and save the file to your desktop.

    Alternate SITE: smitRem.exe

    Double click on the file to extract it to it's own folder on the desktop.



    Place a shortcut to Panda ActiveScan on your desktop ((drag the text link to your desktop)).



    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.


    If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
    Ad-Aware SE Setup. Don't run it yet!



    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.


    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
    -----
    O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\System32\hpFDD0.tmp

    O17 - HKLM\System\CCS\Services\Tcpip\..\{242B01D7-88F1-4CD8-A69E-D28FE1E1313D}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CCS\Services\Tcpip\..\{44959949-A62E-491C-87F2-7164AD212B4A}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E178BA7D-D117-4D53-8452-A6F66E9EF526}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CS1\Services\Tcpip\..\{242B01D7-88F1-4CD8-A69E-D28FE1E1313D}: NameServer = 85.255.116.123,85.255.112.181
    O17 - HKLM\System\CS2\Services\Tcpip\..\{242B01D7-88F1-4CD8-A69E-D28FE1E1313D}: NameServer = 85.255.116.123,85.255.112.181
    -----
    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.



    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested (below) in your next reply.


    Open Ad-aware and do a full scan. Remove all it finds.


    Run Ewido:
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • NOTE: During some scans with ewido it is finding cases of false positives.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido


    Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

    Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
    Save the Panda scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log.
+ Reply to Thread
« hijack this log: help me please... | Problems Shutting Down And Restarting! »