Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
A short time ago my browswer (IE5.5, recently upgraded from 5.0) started showing evidence of being hijacked. Sometimes when it started up and sometimes during use it would link to one of a number of pages and thence on to various porn sites. In fact on start up it would sometimes do this even though not connected to the internet.
The original links seen have been to pages on www7.paypopup.com, kathic.offshorechicks.com, www.xtrocash.org, www.exitorcash.com, www.cashexits.com.
Scans with AdAware and SpyBot Search and Destry have revealed nothing in particular and currently I've got my machine protected by AdSubtract and PopUpCop, which are doing fine in closing down the windows but are also having a detrimental effect of closing things I might want.
I have been a little suspicious of a module IstSVCwnd because I don't know what it is or where it came from and it sometimes is the cauise of machine hangs.
A recent connection also gave cause for doubt (incuding the word 'ist') when PopupCop said that a site was trying to download 'FREE SEX-XXXTOOLBAR' with a requesting web page of http://www.slotch.com/ist/scripts/istsvc_ads.php?version=1005...etc
and a download location of http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
I'm running Win2000pro behing Outpost firewall and with (up to date) AVG virus scanner.Any suggestions would be appreciated.
I suggest going to http://www.tomcoyote.org/hjt/ and downloading HijackThis. After starting HijackThis, click the scan button which will change into a save log button. Save the logfile and also copy and paste the results back here in this thread. Most items reported by HijackThis are valid, so don’t fix anything yet.
0 
You also have a powerful firewall,
websites you listed can be blocked.You can block Ip adresses with "Block post plug-in".
Another thing to look into is, AGNIS for Outpost ad block list.
Something to check out after you post
your HijackThis log.
0
I'm having the same problem as the person who started the thread. I have taken the steps mentioned in the first reply and below is the log. I hope ot hear from someone soon.
Thanks In Advance
Logfile of HijackThis v1.95.1
Scan saved at 10:08:06, on 26/07/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\MEDIASCAPE\ONSCREEN DISPLAY\OSD.exe
C:\WINDOWS\SYSTEM\GSICON.exe
C:\WINDOWS\SYSTEM\DSLAGENT.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTSTACKSERVER.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\KAZAA LITE\KAZAALITE.KPP
C:\PROGRAM FILES\KAZAA LITE\SPEED UP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.qpr.premiumtv.co.uk/home/view/home_page/0,,10373,00.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {a4019fe0-5fdd-11d7-be86-444553540000} - (no file)
O2 - BHO: (no name) - {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - C:\WINDOWS\SYSTEM\BHO2.DLL
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\WHATTT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [VortexTray] ASP4TRAY.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.exe /autorun
O4 - HKLM\..\Run: [GSICONEXE] GSICON.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\MSCCN32.exe
O4 - HKCU\..\Run: [System MScvb] C:\WINDOWS\MSCVB32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O9 - Extra button: AIM (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,5/mcinsctl.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37603.6279166667
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://home.wanadoo.nl/century.music/mp3_plugin.exe
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt1_x.cab
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://207.44.176.11/auth/rh/IeInstall_2.exe
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://outwar.whazit.com/10041.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
0
Hi Gavster,
Make sure to run an updated Spybot Search and Destroy before fixing these items using HijackThis.
Please read the comments I made before fixing the items. Why your two different Anti-Virus programs did not pick the viruses up I don’t know? But you should use the removal tools I gave URL’s to before fixing using HijackThis. There is a possible NEW malware BHO please could you send it to the e-mail I mentioned. And one of the BHO’s I gave a link for further removal instructions after fixing with HijackThis.
After running Spybot S&D, reboot. Close all browser windows and then fix all the following items using HijackThis. Reboot and check if everything listed is gone.
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {a4019fe0-5fdd-11d7-be86-444553540000} - (no file)
------------------
O2 - BHO: (no name) - {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - C:\WINDOWS\SYSTEM\BHO2.DLLCould you please send this BHO2.DLL to the e-mail submit-stuff@xs4all.nl for examination? This is the e-mail direct to Tony Klein creator of http://www.spywareinfo.com/bhos/ I sent him an e-mail with the following asking for a response (Please copy and paste the following also in the body of the e-mail):
This one is confusing as the CLSID {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA}is associated with a known bad ActiveX control and BHO.DLL is associated with a known bad BHO called “HighTraffic” http://www.doxdesk.com/parasite/HighTraffic.html which clicking on the Link leads to http://www.doxdesk.com/parasite/SubSearch.html which is also a bad BHO.
And this is the response I received:
Hi Mark,
Bho2.dll is also an existing HighTraffic browser plugin, up to now however listed as having the following Class iD: {53E10C2C-43B2-4657-BA29-AAE179E7D35C} this may be an all new one. I'd appreciate a copy of the file, if that would be possible! :)\
TIA! :)
Cheers, TonyPlease wait for a response before fixing. Thanks.
--------------O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINDOWS\WHATTT.DLL
Spyware/Malware called Whazit See http://www.doxdesk.com/parasite/Whazit.html You can safely fix this entry using HijackThis but also read this link for further removal instructions http://www.spywareinfo.com/articles/whazit/O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.exe
Fix after using the removal tool (the tool may remove this entry)
Added as a result of the “W32.Sobig.B@mm” VIRUS! See http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html Warning - spreading via infected E-mail attachments with the sender address faked as support@microsoft.com. Symantec Security Response has developed a removal tool available from http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.mankx.removal.tool.html to clean infections of W32.Sobig.B@mmO4 - HKCU\..\Run: [System Tray] C:\WINDOWS\MSCCN32.exe
?? A second instance of the virus above! Strange.O4 - HKCU\..\Run: [System MScvb] C:\WINDOWS\MSCVB32.exe
Fix after using the removal tool (the tool may remove this entry)
Added as a result of the “W32.Sobig.C@mm” VIRUS! See http://www.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html
Symantec Security Response has created a tool available from http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c.removal.tool.html to remove W32.Sobig.C@mm, which is the easiest way to remove this threat.The following ActiveX controls should be removed. The sites these ActiveX controls come from are blocked by one or more of the following: JD5000's Proxomitron config. file and IE-Spyad (IE Restricted Sites) and Hpguru's hosts file.
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://home.wanadoo.nl/century.music/mp3_plugin.exe
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://207.44.176.11/auth/rh/IeInstall_2.exe
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://outwar.whazit.com/10041.cab
Also I noticed in the running processes you are using KAZAALITE this is a P2P that you should seriously consider removing this malware portal. Up to you, LOL
For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 In addition to using SpywareBlaster (mentioned in the thread) I would also use SpywareGuard http://www.wilderssecurity.net/spywareguard.htmlFour of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware.
Good Luck!
0
Gavster,
Sorry I did some copying and pasteing from another resonce I gave someone else so there are a couple of confusing things:
The statement: "Also I noticed in the running processes you are using KAZAALITE this is a P2P that you should seriously consider removing this malware portal."
Should read: "Also I noticed in the running processes you are using KAZAALITE this P2P malware portal is one security risk you should seriously consider removing."
--
And "In addition to using SpywareBlaster (mentioned in the thread)" does not apply to this thread LOLMark
0
Also, if you haven't had HT fix it already, send Tony a copy of this ActiveX control:
O16 - DPF: {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} (BHO.clsUrlSearch) - http://207.44.176.11/auth/rh/IeInstall_2.exe
It's what is installing this BHO:
O2 - BHO: (no name) - {A8B9F08F-2FC4-4ADE-9049-CFBA586971BA} - C:\WINDOWS\SYSTEM\BHO2.DLL
0
Thanks Tom, that is a good idea.
I just realized that the two entries for the “W32.Sobig.B@mm” VIRUS! are different
O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.exe
O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\MSCCN32.exeOne is in the registry location HKLM and the other in HKCU. The removal tool given with the HKLM entry will likely remove the HKCU entry as well.
0
I've had exactely the same thing. here's my log file. PLEASE HELP ,iv tried everything
Logfile of HijackThis v1.95.1
Scan saved at 22:29:06, on 29-7-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.exe
C:\ATI-CPanel\atiptaxx.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\NotifyPhoneBook.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-huns-yellow-pages.com/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://i21740.wflu.com/passthrough/index.html?about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (disabled by BHODemon)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {bf29c082-fc31-4e3f-9daf-81b404e2128b} - C:\DOCUME~1\Jelle\APPLIC~1\jmtckgrpro.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\ATI-CPanel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [CloseDNF] C:\WINDOWS\System32\Utility.exe \1008
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\Run: [EasyDates_be] C:\Program Files\ComSoft\Dialers\EasyDates_be\EasyDates_be.exe /dontdial
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe"
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://3dgamers.tukati.com/tukati/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E116C3B3-390B-4DFB-9ADA-163448E7CDB1}: NameServer = 195.238.2.21 195.238.2.22
0
well ,whenever i typ an url in internet explorer ,i arrive at that thing to install that xxxtoolbar ,and sometimes another pornographic website (i dont know how it got there ,honestly ,i dont really visit those websites (hjust take my word))
0
Hi Zebra
Run an updated Spybot Search and Destroy (http://security.kolla.de/) and after closing all browser windows fix the items that are left using HijackThis and then reboot.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.the-huns-yellow-pages.com/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://stopxxxpics.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=0&s=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://i21740.wflu.com/passthrough/index.html?about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
O1 - Hosts: 65.77.83.222 madthumbs.com
O1 - Hosts: 65.77.83.222 worldsex.com
O1 - Hosts: 65.77.83.222 teeniefiles.com
O1 - Hosts: 65.77.83.222 al4a.com
O1 - Hosts: 65.77.83.222 sublimedirectory.com
O1 - Hosts: 65.77.83.222 thumbzilla.com
O1 - Hosts: 65.77.83.222 sexocean.com
O1 - Hosts: 65.77.83.222 easypic.com
O1 - Hosts: 65.77.83.222 absolut-series.com
O1 - Hosts: 65.77.83.222 jpeg4free.com
O1 - Hosts: 65.77.83.222 thumbnailpost.com
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh304181.dll (disabled by BHODemon)
O2 - BHO: (no name) - {bf29c082-fc31-4e3f-9daf-81b404e2128b} - C:\DOCUME~1\Jelle\APPLIC~1\jmtckgrpro.dll (disabled by BHODemon)O4 - HKLM\..\Run: [CloseDNF] C:\WINDOWS\System32\Utility.exe \1008
Do you know what this is? If not you may fix this also.O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
Messenger Plus comes with Lop but I don’t see Lop so you must have installed it without installing sponsor software, if you did not install MessengerPlus2, fix it also.O4 - HKLM\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKLM\..\Run: [sys] regedit /s sys.reg
O4 - HKLM\..\Run: [EasyDates_be] C:\Program Files\ComSoft\Dialers\EasyDates_be\EasyDates_be.exe /dontdialO4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
Messenger Plus comes with Lop but I don’t see Lop so you must have installed it without installing sponsor software, if you did not install MessengerPlus2, fix it also.After Reboot then delete:
The folder Comsoft at C:\Program Files\ComSoft
The file logon.exe at c:\windows\system32\logon.exeAnd if you did remove Messenger Plus delete the following also:
The folder Messenger Plus! 2 at C:\Program Files\Messenger Plus! 2Good Luck!
0
well ,its not over yet... But I see i didn't close my browser windows while scanning ,so i did it again but they were all deleted so :S what to do? i've done everything now ,and it still there
0
Zebra, Ok, Please post an another HijackThis logfile and so we can take a look at it again.
Sometimes this takes a bit of work to get of the problem.
0 
