1
   

Hijack log

Forums: Computers
Email this Topic Print this Page
 
 
tmobile
 
Reply Sun 6 Feb, 2005 06:03 pm
Hi, if you have time please help

A few months i atleast had mysearchbar on my computer even though i run ad-aware and spybot all the time. But after i installed a loopremmover or something everything seemed ok although i had to do it after every restart of my computer.

A week ago i decided to try to fix this and installed a few progz like spyware doctor and webroot spy sweeper. I also tried a program i dont remember what was but i made things worse. The last thing i remember it did was releasing my internet connection or something. It disconnected me from internet, messenger and so on and restarted my computer. I got an interneterror message when i logged back in.

Now more popups, searchweb2 and mysearchbar was there and the loopremover only remove it sometimes. I get more popups and spydoctor tells me that i get directed to dangerous website when i open internet explorer. Also when i am trying to open a link in internet explorer now the new window does not load. it does not freeze but nothing happends in there. Also i get iexpolrer.exe error all the time even if i dont use the computer.

Even more imporant is that a few of the folders in my External Maxtor HD cant be viewed in explorer. The used mb and free mb is like it should be and i can play some of the files in those folders since i have some in a mediaplayer playlist but thats just afew.

I found your forum yesterday and tried the spyremove manual. Idid not find the twaincheck and becasue of major HD space troubles i could not run defragment although i was adviced to do so on all my disks after the analyze. To defragment i have to spend a few weeks burning so hopefully i can get help and fix this before that.

Anyways, after i followed your guide it seemed ok although loop.com was very resistent to remove even offline. But it lasted just a few hours online . before its the same with searchweb2 and mysearchbar and evetything.

I am sending this from my portable computer since so i can see what you tell me to do and download files you want me to on this and move it over to the trouble computer with my small 256 mb HD. Hope that is ok and will work.

Here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 00:13:32, on 07.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\QuickTime\qttask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\2xExplorerZ1\2xExplorer.exe
C:\Programfiler\Winamp\Winamp.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
c:\progra~1\intern~1\iexplore.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\WinRAR\WinRAR.exe
C:\DOCUME~1\Vidar\LOKALE~1\Temp\Rar$EX00.734\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xkzpeapmquzpetkq.com/jW8DveD4jnUcDNJBsJAXQPmINJ0YYA_ITz9CTLPnqxcN2yn8c7R4dnb/xzAeX5Gk.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qpzllaueeo.com/jW8DveD4jnVvQMy3L5qx4ZrLK2vsfz65gDRX4QCsJMM.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.30.147:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CA2F8C8-F7D1-1447-A505-508E4A3DA35B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {77610D6E-6A0F-101F-F33C-4B688EE83B97} - C:\DOCUME~1\Vidar\PROGRA~1\IDLESU~1\skip 01.exe
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [Store axis wait keep] C:\Documents and Settings\All Users\Programdata\Eq Load Store Axis\POKE SETUP.exe
O4 - HKLM\..\Run: [moregplclose1] C:\Documents and Settings\All Users\Programdata\atom ante more gpl\MAGSFIRST.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MJStarter] C:\Programfiler\MovieJack3\MJStarter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programfiler\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Hole warn] C:\DOCUME~1\Vidar\PROGRA~1\DEADFL~1\Base Cake.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 1 • Views: 821 • Replies: 10
No top replies

 
Don77
 
  1  
Reply Sun 6 Feb, 2005 06:34 pm
Hi tmobile and welcome to A2K
Run this please lop uninstaller
Reboot

Next,
Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.xkzpeapmquzpetkq.com/jW8DveD4jnUcDNJBsJAXQPmINJ0YYA_ITz9CTLPnqxcN2yn8c7R4dnb/xzAeX5Gk.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qpzllaueeo.com/jW8DveD4jnVvQMy3L5qx4ZrLK2vsfz65gDRX4QCsJMM.html
O2 - BHO: (no name) - {77610D6E-6A0F-101F-F33C-4B688EE83B97} - C:\DOCUME~1\Vidar\PROGRA~1\IDLESU~1\skip 01.exe
O4 - HKLM\..\Run: [Store axis wait keep] C:\Documents and Settings\All Users\Programdata\Eq Load Store Axis\POKE SETUP.exe
O4 - HKLM\..\Run: [moregplclose1] C:\Documents and Settings\All Users\Programdata\atom ante more gpl\MAGSFIRST.exe
O4 - HKCU\..\Run: [Hole warn] C:\DOCUME~1\Vidar\PROGRA~1\DEADFL~1\Base Cake.exe


Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD

C:\DOCUME~1\Vidar\PROGRA~1\IDLESU~1\skip 01.exe
C:\Documents and Settings\All Users\Programdata\Eq Load Store Axis\POKE SETUP.exe
C:\Documents and Settings\All Users\Programdata\atom ante more gpl\MAGSFIRST.exe
C:\DOCUME~1\Vidar\PROGRA~1\DEADFL~1\Base Cake.exe
Delete any associated folders found with the above files
Restart your computer, Post back a fresh log please

Also,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please
0 Replies
 
tmobile
 
  1  
Reply Sun 6 Feb, 2005 08:15 pm
Thanks for help. Hope you stay with me

Did not find everything and i looked for a long time in Hijack after i ran the loop

Logfile of HijackThis v1.98.2
Scan saved at 03:12:25, on 07.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\mozilla.org\Mozilla\Mozilla.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\WinRAR\WinRAR.exe
C:\DOCUME~1\Vidar\LOKALE~1\Temp\Rar$EX00.485\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wtajdbkbdncvsdvpowyj.com/jW8DveD4jnUcDNJBsJAXQPmINJ0YYA_ITz9CTLPnqxfT0BoWtZ5c2Gb/xzAeX5Gk.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.30.147:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CA2F8C8-F7D1-1447-A505-508E4A3DA35B} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [moregplclose1] C:\Documents and Settings\All Users\Programdata\atom ante more gpl\each fast.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MJStarter] C:\Programfiler\MovieJack3\MJStarter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programfiler\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab






"Silent Runners.vbs", revision 30
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"MJStarter" = "C:\Programfiler\MovieJack3\MJStarter.exe" [file not found]
"msnmsgr" = ""C:\Programfiler\MSN Messenger\msnmsgr.exe" /background" [MS]
"Mozilla Quick Launch" = ""C:\Programfiler\mozilla.org\Mozilla\Mozilla.exe" -turbo" ["Mozilla Foundation"]
"SpySweeper" = ""C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe" /0" ["Webroot Software, Inc."]
"Spyware Doctor" = ""C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ccApp" = ""C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"StorageGuard" = ""C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."]
"TkBellExe" = ""C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"QuickTime Task" = ""C:\Programfiler\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"MaxtorOneTouch" = "C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe" ["Maxtor"]
"MXO Auto Loader" = "C:\WINDOWS\MXOALDR.EXE" ["Cypress Semiconductor"]
"moregplclose1" = "C:\Documents and Settings\All Users\Programdata\atom ante more gpl\each fast.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{26923b43-4d38-484f-9b9e-de460746276c}\(Default)" = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
">{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default)" = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" [null data]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Programfiler\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Ikonutvidelse for HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Programfiler\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Programfiler\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "AtiExtEvent\DLLName" = "Ati2evxx.dll" ["ATI Technologies Inc."]


Startup items in "Vidar" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart
"InterVideo WinCinema Manager" -> shortcut to: "C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]
"Microsoft Office" -> shortcut to: "C:\Programfiler\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"2642700D9CF225D1" -> launches: "c:\progra~1\deadfl~1\bait memo gpl.exe" [file not found]
"A89BE08F918496E7" -> launches: "c:\docume~1\vidar\progra~1\deadfl~1\bait memo gpl.exe" [file not found]
"AF5C62DC9180144C" -> launches: "c:\docume~1\vidar\progra~1\deadfl~1\bait memo gpl.exe" [file not found]
"Norton AntiVirus - Scan my computer - Vidar" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.EXE /task:"C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Programdata\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Programfiler\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Programfiler\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Programfiler\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\Programfiler\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
Retrospect Launcher, RetroLauncher, "C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe" ["Dantz Development Corporation"]
SAVScan, SAVScan, "C:\Programfiler\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, "C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
0 Replies
 
Don77
 
  1  
Reply Sun 6 Feb, 2005 08:32 pm
Hi again tmobile
Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wtajdbkbdncvsdvpowyj.com/jW8DveD4jnUcDNJBsJAXQPmINJ0YYA_ITz9CTLPnqxfT0BoWtZ5c2Gb/xzAeX5Gk.htm
O2 - BHO: (no name) - {2CA2F8C8-F7D1-1447-A505-508E4A3DA35B} - (no file)
O4 - HKLM\..\Run: [moregplclose1] C:\Documents and Settings\All Users\Programdata\atom ante more gpl\each fast.exe

Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD

C:\Documents and Settings\All Users\Programdata\atom ante more gpl\each fast.exe
c:\progra~1\deadfl~1\bait memo gpl.exe
c:\docume~1\vidar\progra~1\deadfl~1\bait memo gpl.exe
Delete any associated folders found with these files, Notice that the file bait memo gpl.exe is sitting in 2 different folders make sure you kill them both if found
Restart your computer, Post back a fresh log please
0 Replies
 
tmobile
 
  1  
Reply Sun 6 Feb, 2005 08:52 pm
Hi again Don and thanks

not able to find that eachfile

Logfile of HijackThis v1.98.2
Scan saved at 03:53:34, on 07.02.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Programfiler\Fellesfiler\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe
C:\Programfiler\QuickTime\qttask.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\mozilla.org\Mozilla\Mozilla.exe
C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programfiler\Spyware Doctor\swdoctor.exe
C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HU\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.30.147:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Programfiler\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programfiler\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programfiler\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MJStarter] C:\Programfiler\MovieJack3\MJStarter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programfiler\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Programfiler\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Programfiler\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programfiler\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programfiler\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
0 Replies
 
Don77
 
  1  
Reply Sun 6 Feb, 2005 09:01 pm
It appears to be clean now, How is the machine running ?
0 Replies
 
tmobile
 
  1  
Reply Sun 6 Feb, 2005 09:07 pm
Looks like its gone Very Happy for now, hopefully it will stay clean

Still can only view 2 of the folders though on the external maxtor HD
Really upset about this if all files are gone

And the internet explorer is still strange since it wont open a new window
Is it possible just to reinstall internet explorer or something?

Dont know if you are the one to ask about this, im new here so sorry if i am wrong.

Thanks again for the help don
0 Replies
 
tmobile
 
  1  
Reply Sun 6 Feb, 2005 09:35 pm
Hi again Don

Well, i ran the spydoctor and it found some infections. One is high risk and thats the lop.com. seems like it refuses to go away

about the maxtor, please tell me to ask elsewhere if you dont have time or knowlegde about it

Thanks for your time
0 Replies
 
Don77
 
  1  
Reply Mon 7 Feb, 2005 06:32 pm
Hi again tmobile,
Remove the lopuninstaller file I had you run, Search for lopremover.exe and delete it,
See if spydoctor finds it again,


I m sure someone will pop by and see if they can help you out with the HD issue,,
0 Replies
 
tmobile
 
  1  
Reply Wed 9 Feb, 2005 10:49 am
Thanks alot don

works very well now

maybe i start a new thread about the maxtor in a few days
0 Replies
 
Don77
 
  1  
Reply Wed 9 Feb, 2005 07:07 pm
Very welcome tmobile,
Might be a good idea to start a new post about the HD, Probably get more hits that way
0 Replies
 
 

Related Topics

Super cool computer tricks, for dopes like me. - Discussion by OCCOM BILL
Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
Mac help/can't install new printer, don't remember passwd - Discussion by ossobuco
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
 
  1. Forums
  2. » Hijack log
Copyright © 2025 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 12/26/2025 at 10:31:18