Hi Mike34, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll BargainBuddy – See http://217.115.153.73/parasite/BargainBuddy.html O2 - BHO: eXact Browser Companion - {F9765480-72D1-11D4-A75A-004F49045A87} - c:\progra~1\exact\exacttoolbar00049.dll eXactSearchBar – See http://217.115.153.73/parasite/eXactSearch.html O3 - Toolbar: &eXact Toolbar - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - c:\progra~1\exact\exacttoolbar00049.dll See eXactSearchBar above O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab After rebooting delete the following folders: The folder BARGAI~1 at C:\PROGRA~1\BARGAI~1 The folder exact at c:\progra~1\exact -------------- For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 In addition to using SpywareBlaster (mentioned in the thread) I would also use SpywareGuard http://www.wilderssecurity.net/spywareguard.html Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

Hi, Im not as computer savvy as you guys are but I beleive I'm having a similar problem. Whenever I try to access a site on my browser I'm directed to vrape.hardloved.com. The only way I can acces a site is to open aol and use the search engine. If someone can explain how to fix it in plain english I would appreciate it. Im not completely hopless but terms like run a spybot, HT and ISTsvc folder , are not in my vocabulary. Thanks in a dvance for any help.

0

Hi all When i search from the address bar in IE6, it keeps using a search engine from vrape.hardloved.com, ive tried reseting my web settings but that doesnt work; ive tried customizong the search engine through the search bar but that doesnt work either. For example entering "www.amazon.co.uk" in the address bar or any search like it comes up with page not found. I am computer literate but have no idea what any of these technical terms mean i.e HT, Spybot etc. Any help would be appreciated in solving this annoyance. Thanks

0

Thank you so much Setter! I really appreciate your input and the tips for future protection. I've done what you said, but the only thing I could not do was delete the files from my computer. I can't find them at all regardless of my system searches. This is my current log. What do you think? Again, thanks for being such a help. Mike FT. Hood, TX Logfile of HijackThis v1.96.0 Scan saved at 1:40:35 PM, on 8/10/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\System32\drivers\CDAC11BA.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.exe C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\gearsec.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Dell\Support\Alert\bin\DAMon.exe C:\Program Files\Creative\ShareDLL\CtNotify.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\CTHELPER.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Creative\ShareDLL\Mediadet.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\program files\altnet\points manager\points manager.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Messenger\msmsgs.exe C:\Documents and Settings\Family\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hot.rr.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: PowerReg Scheduler V3.exe O4 - Startup: PowerReg Scheduler.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000 O9 - Extra button: ATI TV (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/packages/GSManager.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37644.5175231481 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245/www.pulse3d.com/players/english/5.0/win/PulsePlayer5AxWin.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?305 O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_6.cab

0

Hi Mike34, You have a clean logfile :-) I suggest saving the logfile for future reference and if weird stuff starts to happen you can do a comparison with a new HijackThis logfile at that time.

0

Hi 10fold and mikeyc007, Go to http://www.tomcoyote.org/hjt/ and download HijackThis. After starting HijackThis, click the scan button which will change into a save log button. Save the logfile and also copy and paste the results back here in this thread. Most items reported by HijackThis are valid, so don’t fix anything yet. Mark

0

Hi Mike34, LOL, I just realized you Mike are someone I was helping. Sorry, I gave the HijackThis shortened version. So try and delete as follows: The folder "Bargain Buddy" at C:\Program Files\Bargain Buddy\ The folder "exact" at C:\Program Files\exact And if you can't find them don't worry about it. Mark

0

Mark, Thanks for the help it's much appreciated. Heres the logfile. Logfile of HijackThis v1.96.0 Scan saved at 11:04:06 PM, on 8/10/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe C:\WINDOWS\wanmpsvc.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\Program Files\DelFin\PromulGate\PgMonitr.exe C:\Program Files\DownloadWare\dw.exe C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\AvConsol.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe C:\Program Files\McAfee\McAfee VirusScan\AvConsol.exe C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Kazaa\kazaa.exe C:\WINDOWS\system32\mmc.exe C:\WINDOWS\system32\DfrgNtfs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Microsoft Money\System\urlmap.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Mike C\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vrape.hardloved.com/top/search.php?id=1&s=www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s= O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\Jimmy\LOCALS~1\Temp\msgadg.dll O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.exe /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62" O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe" O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,NewDotNetStartup O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: ICQ (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: AOL Instant Messenger (SM) (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s= O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s= O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab thanks again, Mike

0

Hi Mike (10fold ), Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://vrape.hardloved.com/top/search.php?id=1&s=www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=1&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=1&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=1&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=1&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=1&s= O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOCUME~1\Jimmy\LOCALS~1\Temp\msgadg.dll O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll NewDotNet - See http://217.115.153.73/parasite/NewDotNet.html. (Installed as part of the Kazaa ) O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL DownloadWare - See http://217.115.153.73/parasite/DownloadWare.html O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe" Adware based media viewer O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H See DownloadWare above O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H See DownloadWare above O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe Rebranded version of SaveNow advertising spyware – See http://217.115.153.73/parasite/SaveNow.html O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,NewDotNetStartup See NewDotNet above All the following O10 are the result of NewDotNet above Note: If these entries are not fixed be Spybot S&D (which I’m sure they will be) you must use LSPFix from http://www.cexx.org/lspfix.htm --------------------------- O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s= O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s= O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com Fix this only if you want to be able to change your start page URL (To http://www.google.com/ for example) After rebooting delete the following folders (if found): The folder NewDotNet at C:\Program Files\NewDotNet The folder MediaLoads Enhanced at C:\Program Files\MediaLoads Enhanced The folder DelFin at C:\Program Files\DelFin The folder DownloadWare at C:\Program Files\DownloadWare The folder Save at C:\ Program Files \Save -------------- For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 In addition to using SpywareBlaster (mentioned in the thread) I would also use SpywareGuard http://www.wilderssecurity.net/spywareguard.html Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

I'm glad I found this forum, looks like you guys have what I've been getting on my computer. Anyways, I got HT and Spybot S&D. Here is the log and thank you very much to anyone who can help me out. Logfile of HijackThis v1.96.0 Scan saved at 7:31:50 PM, on 8/11/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.exe C:\WINDOWS\system32\cisvc.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe C:\Program Files\AIM95\aim.exe C:\windows\explore.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Sal\My Documents\Install Files\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/5/search.php?qq=%s R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= O1 - Hosts: 65.77.83.222 thehun.com O1 - Hosts: 65.77.83.222 thehun.net O1 - Hosts: 65.77.83.222 madthumbs.com O1 - Hosts: 65.77.83.222 worldsex.com O1 - Hosts: 65.77.83.222 teeniefiles.com O1 - Hosts: 65.77.83.222 al4a.com O1 - Hosts: 65.77.83.222 sublimedirectory.com O1 - Hosts: 65.77.83.222 thumbzilla.com O1 - Hosts: 65.77.83.222 sexocean.com O1 - Hosts: 65.77.83.222 easypic.com O1 - Hosts: 65.77.83.222 absolut-series.com O1 - Hosts: 65.77.83.222 jpeg4free.com O1 - Hosts: 65.77.83.222 thumbnailpost.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [explore] c:\windows\explore.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s= O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s= O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37641.8607986111 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab --- Don't know if this is exactly the same as what everyone else posted but it looks pretty close to me. Much thanks.

0

Hi strungout, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/5/search.php?qq=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= O1 - Hosts: 65.77.83.222 thehun.com O1 - Hosts: 65.77.83.222 thehun.net O1 - Hosts: 65.77.83.222 madthumbs.com O1 - Hosts: 65.77.83.222 worldsex.com O1 - Hosts: 65.77.83.222 teeniefiles.com O1 - Hosts: 65.77.83.222 al4a.com O1 - Hosts: 65.77.83.222 sublimedirectory.com O1 - Hosts: 65.77.83.222 thumbzilla.com O1 - Hosts: 65.77.83.222 sexocean.com O1 - Hosts: 65.77.83.222 easypic.com O1 - Hosts: 65.77.83.222 absolut-series.com O1 - Hosts: 65.77.83.222 jpeg4free.com O1 - Hosts: 65.77.83.222 thumbnailpost.com O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll Winshow/Searchv.com Hijacker – See http://www.doxdesk.com/parasite/Winshow.html ****O4 - HKCU\..\Run: [explore] c:\windows\explore.exe Added as a result of the NETBUS 160 (http://www.ikarus.at/english/vttrojan.htm#nb160) and other VIRUSES! O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s= O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s= After rebooting delete the following file (if found): The file explore.exe at c:\windows\explore.exe You have/had at least one active Trojan (Identified by ****). HijackThis will have rendered it inactive when you did the above. And by removing the file explore.exe it will not be able to execute anymore. You can also use the removal instructions provided with the link to remove any other traces. You may still have other Viruses/Trojans. Even though McAfee is a very good Anti-Virus program (with some Trojan detection) they are not in the Anti-Trojan business. I recommend either Trojanhunter or TDS-3 (both have thirty day trials) You can also try an online AV scanner such as - Panda ActiveScan http://www.pandasoftware.es/activescan/activescan-com.asp - Trend Micro Housecall http://housecall.antivirus.com/ Recommend Panda ActiveScan first, Trend HouseCall second, as the two best online scans, in that order. They may detect and remove other Viruses/Trojans also. No one program finds everything. -------------- For a Spyware free future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

Hi I have a similiar problem here is my logfile Logfile of HijackThis v1.96.0 Scan saved at 19:43:21, on 12-8-2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe C:\Program Files\Messenger Plus! 2\MsgPlus.exe C:\DOCUME~1\Marsha\APPLIC~1\wgrievst.exe C:\WINDOWS\System32\NotifyPhoneBook.exe C:\Program Files\QuickTime\qttask.exe C:\DOCUME~1\Marsha\APPLIC~1\msbb.exe C:\DOCUME~1\Marsha\LOCALS~1\Temp\Net1.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\winservn.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Marsha\Local Settings\Temp\Tijdelijke map 2 voor hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {762b0095-61cf-4340-8167-0d633218ff6c} - C:\DOCUME~1\Marsha\APPLIC~1\pchooouldck.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\System32\shdocvw.dll O3 - Toolbar: rgreshouwst - {b4dd8f69-d41d-40d0-ade1-ae4b0fad47c2} - C:\DOCUME~1\Marsha\APPLIC~1\pchooouldck.dll O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.exe O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" O4 - HKLM\..\Run: [cldch] C:\DOCUME~1\Marsha\APPLIC~1\wgrievst.exe -QuieT O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [msbb] C:\DOCUME~1\Marsha\APPLIC~1\msbb.exe O4 - HKLM\..\Run: [CGJM] C:\WINDOWS\CGJM.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.readlyrics.com/mp3.exe O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave.com/content/angelx/SonyPicturesGameDownloader.cab O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www.outwar.com/includes/Download_UL.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{FF6B7DE9-B581-4F53-888A-5BBDF99302C2}: NameServer = 195.121.1.34 195.121.1.66

0

Hi Marsha, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Before doing anything else, could you please manually go to these locations (or do a file search) and zip these files (if zipping is a problem, send them unzipped) and send them to submissions@spywareinfo.com Please also put the address of this thread in the e-mail so they can refer to it if needed. After sending you may fix them using HijackThis. C:\DOCUME~1\Marsha\APPLIC~1\pchooouldck.dll C:\DOCUME~1\Marsha\APPLIC~1\wgrievst.exe C:\WINDOWS\CGJM.exe Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html O2 - BHO: (no name) - {762b0095-61cf-4340-8167-0d633218ff6c} - C:\DOCUME~1\Marsha\APPLIC~1\pchooouldck.dll Not known O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINDOWS\System32\shdocvw.dll TinyBar - See http://www.doxdesk.com/parasite/TinyBar.html O3 - Toolbar: rgreshouwst - {b4dd8f69-d41d-40d0-ade1-ae4b0fad47c2} - C:\DOCUME~1\Marsha\APPLIC~1\pchooouldck.dll Not known O4 - HKLM\..\Run: [cldch] C:\DOCUME~1\Marsha\APPLIC~1\wgrievst.exe –QuieT Not known O4 - HKLM\..\Run: [msbb] C:\DOCUME~1\Marsha\APPLIC~1\msbb.exe Advertising spyware O4 - HKLM\..\Run: [CGJM] C:\WINDOWS\CGJM.exe Not known O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe Homepage hijacker O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www.outwar.com/includes/Download_UL.cab After rebooting delete the following: The file wgrievst.exe at C:\DOCUME~1\Marsha\APPLIC~1\wgrievst.exe The file msbb.exe at C:\DOCUME~1\Marsha\APPLIC~1\msbb.exe The file CGJM.exe at C:\WINDOWS\CGJM.exe The file winservn.exe at C:\WINDOWS\System32\winservn.exe You should do the security updates for WinXP and IE6 Platform: Windows XP is now at SP1 MSIE: Internet Explorer v6.00 is now at SP1 -------------- For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

Mark, once again you are the man! Thank you very much, it seems to be running normal again. Also much thanks for the links you provided and for going to the trouble of posting where I could get more information about the trojan I had. The link you gave also instructed me to delete some other files and I did with the exception of winshow.dll, which I couldn't find. Did Spybot & HT take care of this for me? Also ran a virus scan with Panda and Trend Micro Housecall and I seem to be in good shape. Just to make sure, here is my updated log. If you could verify that my system is clean so that I could use this logfile for future comparison, I would really appreciate it. Again, thank you very much for your time. Logfile of HijackThis v1.96.0 Scan saved at 8:29:49 PM, on 8/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\System32\DRIVERS\CDANTSRV.exe C:\WINDOWS\system32\cisvc.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\Explorer.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\AIM95\aim.exe C:\Documents and Settings\Sal\My Documents\Install Files\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost; O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.exe O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.es/activescan/as/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37641.8607986111 O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Also one last thing, I noticed after running HT & Spybot that I had a bunch of small backup files in the same folder. Should these also be deleted?

0

strungout Yep, Spybot took care of winshow.dll Logfile looks A-OK to me. If you are talking about the back-up files created by Spybot & HijackThis in case of the need to restore the changes made. Those can be deleted after a period of time lets say two weeks. I usually delete them immediately :-) up to you - you do trust me don't you - LOL Well anyway hehe, using the program HijackThis, the Backups are located by clicking "config" then "backups". And in Spybot you will find the backups by clicking the "recovery" button. You may delete or purge them in those locations when you choose. And your welcome! Mark

0

Problems with "vrape". Here's my logfile. Any help you can give would be greatly appreciated. Thanks. Logfile of HijackThis v1.96.0 Scan saved at 10:11:15 PM, on 8/12/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\carpserv.exe C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\windows\system\hpsysdrv.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Altnet\Points Manager\Points Manager.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\America Online 8.0\aoltray.exe C:\Program Files\AOL Companion\companion.exe C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Nikon\NkView5\NkvMon.exe C:\Program Files\BullGuard\avxnews.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\America Online 8.0\waol.exe C:\Program Files\America Online 8.0\shellmon.exe C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://approvedlinks.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/ O1 - Hosts: 65.77.83.222 thehun.com O1 - Hosts: 65.77.83.222 thehun.net O1 - Hosts: 65.77.83.222 madthumbs.com O1 - Hosts: 65.77.83.222 worldsex.com O1 - Hosts: 65.77.83.222 teeniefiles.com O1 - Hosts: 65.77.83.222 al4a.com O1 - Hosts: 65.77.83.222 sublimedirectory.com O1 - Hosts: 65.77.83.222 thumbzilla.com O1 - Hosts: 65.77.83.222 sexocean.com O1 - Hosts: 65.77.83.222 easypic.com O1 - Hosts: 65.77.83.222 absolut-series.com O1 - Hosts: 65.77.83.222 jpeg4free.com O1 - Hosts: 65.77.83.222 thumbnailpost.com O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [CARPService] carpserv.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView5\NkvMon.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s= O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s= O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05581c785bfe3b16fe14/netzip/RdxIE601.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{17B36E99-2FB3-4917-89A0-42A3E431583E}: NameServer = 152.163.201.134 O17 - HKLM\System\CS1\Services\Tcpip\..\{17B36E99-2FB3-4917-89A0-42A3E431583E}: NameServer = 152.163.201.134

0

Hi dciancia, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://approvedlinks.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://vrape.hardloved.com/top/search.php?id=2&s= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://approvedlinks.com/ O1 - Hosts: 65.77.83.222 thehun.com O1 - Hosts: 65.77.83.222 thehun.net O1 - Hosts: 65.77.83.222 madthumbs.com O1 - Hosts: 65.77.83.222 worldsex.com O1 - Hosts: 65.77.83.222 teeniefiles.com O1 - Hosts: 65.77.83.222 al4a.com O1 - Hosts: 65.77.83.222 sublimedirectory.com O1 - Hosts: 65.77.83.222 thumbzilla.com O1 - Hosts: 65.77.83.222 sexocean.com O1 - Hosts: 65.77.83.222 easypic.com O1 - Hosts: 65.77.83.222 absolut-series.com O1 - Hosts: 65.77.83.222 jpeg4free.com O1 - Hosts: 65.77.83.222 thumbnailpost.com O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=2&s= O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=2&s= O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05581c785bfe3b16fe14/netzip/RdxIE601.cab -------------- For a Spyware free future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

I have a similiair problem , can anyone help?? Logfile of HijackThis v1.96.0 Scan saved at 9:37:39, on 14-8-2003 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe C:\Programme\Symantec\pcAnywhere\awhost32.exe C:\WINNT\System32\svchost.exe C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe c:\Mssql7\binn\sqlservr.exe C:\Programme\Norton AntiVirus\navapsvc.exe C:\Programme\Norton Utilities\NPROTECT.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Programme\Speed Disk\nopdb.exe C:\WINNT\system32\stisvc.exe C:\Programme\HHVcdV5Sys\VC5SecS.exe C:\Programme\Virtual CD v4\System\vcdsecs.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.exe C:\WINNT\SOUNDMAN.exe C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe C:\PROGRA~1\VIRTUA~1\System\VCDPlay.exe C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe C:\Programme\QuickTime\qttask.exe C:\Programme\ahead\InCD\InCD.exe C:\Programme\Real\RealPlayer\RealPlay.exe C:\Programme\HHVcdV5Sys\VC5Play.exe C:\Programme\Virtual CD v4\System\VCDTray.exe C:\Programme\Gemeinsame Dateien\CMEII\CMESys.exe C:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.exe C:\Programme\Save\Save.exe C:\Programme\Messenger Plus! 2\MsgPlus.exe C:\DOKUME~1\BRUNNE~1\ANWEND~1\trchgzie.exe C:\DOKUME~1\BRUNNE~1\LOKALE~1\Temp\Khz1.exe C:\DOKUME~1\BRUNNE~1\ANWEND~1\msbb.exe C:\WINNT\system32\ctfmon.exe C:\Programme\TimePackage 4.0\nte40tbc.exe C:\Programme\TimePackage 4.0\nte40tsk.exe C:\Programme\Virtual CD v5\System\VC5Tray.exe C:\Programme\WeatherCast\Weather.exe C:\Programme\MSN Messenger\msnmsgr.exe C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Mssql7\Binn\sqlmangr.exe C:\Programme\Gemeinsame Dateien\GMT\GMT.exe C:\Programme\Norton Utilities\SYSDOC32.exe C:\Programme\WinZip\WZQKPICK.exe C:\Programme\Windows Media Player\wmplayer.exe C:\Programme\Internet Explorer\IEXPLORE.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Dokumente und Einstellungen\Brunner Franz\Lokale Einstellungen\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {fe78ab3f-ee1d-4d3c-bb44-e1ff336c31cb} - C:\DOKUME~1\BRUNNE~1\ANWEND~1\ouoaoglxdra.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll O3 - Toolbar: tchmcrgltri - {de248de0-2804-43a7-9b57-7634e856892d} - C:\DOKUME~1\BRUNNE~1\ANWEND~1\ouoaoglxdra.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programme\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [CloneCDTray] "C:\Programme\Elaborate Bytes\CloneCD\CloneCDTray.exe" O4 - HKLM\..\Run: [VCDPlayer] C:\PROGRA~1\VIRTUA~1\System\VCDPlay.exe O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Programme\ahead\InCD\InCD.exe O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [VC5Player] C:\Programme\HHVcdV5Sys\VC5Play.exe O4 - HKLM\..\Run: [CMESys] "C:\Programme\Gemeinsame Dateien\CMEII\CMESys.exe" O4 - HKLM\..\Run: [LVCOMS] C:\Programme\Gemeinsame Dateien\Logitech\QCDriver\LVCOMS.exe O4 - HKLM\..\Run: [WhenUSave] C:\Programme\Save\Save O4 - HKLM\..\Run: [MessengerPlus2] "C:\Programme\Messenger Plus! 2\MsgPlus.exe" O4 - HKLM\..\Run: [exdroa] C:\DOKUME~1\BRUNNE~1\ANWEND~1\trchgzie.exe -QuieT O4 - HKLM\..\Run: [msbb] C:\DOKUME~1\BRUNNE~1\ANWEND~1\msbb.exe O4 - HKLM\..\Run: [WXYNDKUL] C:\WINNT\WXYNDKUL.exe O4 - HKLM\..\Run: [BHOUEL] C:\WINNT\BHOUEL.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [nte40tbc] C:\Programme\TimePackage 4.0\nte40tbc.exe O4 - HKCU\..\Run: [nte40tsk] C:\Programme\TimePackage 4.0\nte40tsk.exe /auto O4 - HKCU\..\Run: [WeatherCast] C:\Programme\WeatherCast\Weather.exe /q O4 - HKCU\..\Run: [MessengerPlus2] "C:\Programme\Messenger Plus! 2\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Programme\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Norton System Doctor.LNK = C:\Programme\Norton Utilities\SYSDOC32.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Dienst-Manager.lnk = C:\Mssql7\Binn\sqlmangr.exe O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Norton System Doctor.lnk = C:\Programme\Norton Utilities\SYSDOC32.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.exe O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Recherche-Assistent (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37750.5016550926 O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherInstCAST1202.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{32B75F85-D48F-4480-954A-84F7CA5927AF}: NameServer = 192.168.1.1

0

HI Mirjam, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html O2 - BHO: (no name) - {fe78ab3f-ee1d-4d3c-bb44-e1ff336c31cb} - C:\DOKUME~1\BRUNNE~1\ANWEND~1\ouoaoglxdra.dll Not Known - remove it. O3 - Toolbar: tchmcrgltri - {de248de0-2804-43a7-9b57-7634e856892d} - C:\DOKUME~1\BRUNNE~1\ANWEND~1\ouoaoglxdra.dll Not Known - remove it. O4 - HKLM\..\Run: [CMESys] "C:\Programme\Gemeinsame Dateien\CMEII\CMESys.exe" Part of Gator advertising spyware - See http://217.115.153.73/parasite/Gator.html O4 - HKLM\..\Run: [WhenUSave] C:\Programme\Save\Save Rebranded version of SaveNow advertising spyware O4 - HKLM\..\Run: [exdroa] C:\DOKUME~1\BRUNNE~1\ANWEND~1\trchgzie.exe -QuieT Not Known O4 - HKLM\..\Run: [msbb] C:\DOKUME~1\BRUNNE~1\ANWEND~1\msbb.exe Advertising spyware O4 - HKLM\..\Run: [WXYNDKUL] C:\WINNT\WXYNDKUL.exe Not Known O4 - HKLM\..\Run: [BHOUEL] C:\WINNT\BHOUEL.exe Not Known O4 - Global Startup: GStartup.lnk = C:\Programme\Gemeinsame Dateien\GMT\GMT.exe Gator spyware variant. See http://217.115.153.73/parasite/Gator.html O16 - DPF: {A7798D6C-C6B5-4F26-9363-F7CDBBFFA607} (download Class) - http://www.gigex.com/ActiveX/vxpspeeddelivery.dll After reboot then delete the following: The folder CMEII at C:\Programme\Gemeinsame Dateien\CMEII The folder Save at C:\Programme\Save The file WXYNDKUL.exe at C:\WINNT\WXYNDKUL.exe The file BHOUEL.exe at C:\WINNT\BHOUEL.exe The folder GMT at C:\Programme\Gemeinsame Dateien\GMT You should delete the proper folder these .exe are located in, but I don’t know what it is (language problem) At minimum delete the .exe files. C:\DOKUME~1\BRUNNE~1\ANWEND~1\trchgzie.exe -QuieT C:\DOKUME~1\BRUNNE~1\ANWEND~1\msbb.exe -------------- For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

I've got a porn entry in my startup menu. I ran Sypbot search and destroy and it's clean. When I try to mark and fix the entry in Hijack...it reappears right away. Any help would be greatly appreciated. Logfile of HijackThis v1.96.0 Scan saved at 3:40:53 PM, on 8/17/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Washer\washer.exe C:\Program Files\Microsoft Money\System\Money Express.exe C:\Program Files\America Online 8.0\aoltray.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Documents and Settings\Dale T. Brown\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection DefaultInstall 128 oemsyspnp.inf O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0 O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" O4 - HKCU\..\Run: [bestiality-movies[1]] c:\windows\bestiality-movies[1].exe -m O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: officejet 6100.lnk = ? O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://mservices.mckinsey.com/iNotes.cab O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shop.intuit.com/store/executables/ie/IDA.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.792037037 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Hi Dale Brown, Download and run CoolwebShredder from http://www.spywareinfo.com/~merijn/files/cwshredder.zip (direct download) Run an UPDATED Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection DefaultInstall 128 oemsyspnp.inf Coolwebsearch Search Hijacker O4 - HKCU\..\Run: [bestiality-movies[1]] c:\windows\bestiality-movies[1].exe -m After reboot then delete the file “bestiality-movies[1].exe” at c:\windows\bestiality-movies[1].exe ---------------- For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

Thanks for your help...but...I followed your directions (exactly) and still have the same problem. After running the CoolwebShredder and an updated Spybot Search and Destroy, rebooted, closed all windows...I did not get the Hijack entry-- O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection DefaultInstall 128 oemsyspnp.inf Coolwebsearch Search Hijacker When I delete the entry in question in Hijack it immediately reappears after another scan. I deleted the directory in question several days ago. Here is my current scan. Any additional help would be most appreciated. Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\drivers\CDAC11BA.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Program Files\America Online 8.0\aoltray.exe C:\Program Files\AOL Companion\companion.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe C:\WINDOWS\System32\HPZipm12.exe C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe C:\Documents and Settings\Dale T. Brown\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe C:\Program Files\America Online 8.0\waol.exe C:\Program Files\America Online 8.0\shellmon.exe --------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Dale T. Brown\Start Menu\Programs\Startup] SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe Microsoft Works Calendar Reminders.lnk = ? officejet 6100.lnk = ? --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers MoneyStartUp10.0 = "C:\Program Files\Microsoft Money\System\Activation.exe" Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe NvCplDaemon = RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe nwiz = nwiz.exe /install --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce washindex = C:\Program Files\Washer\washidx.exe "Dale T. Brown" --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background NvMediaCenter = RUNDLL32.exe C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit bestiality-movies[1] = c:\windows\bestiality-movies[1].exe -m --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce washindex = C:\Program Files\Washer\washidx.exe --------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{306D6C21-C1B6-4629-986C-E59E1875B8AF}] StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe --------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* --------------------- Checking for EXPLORER.exe instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present --------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden --------------------- Enumerating Browser Helper Objects: SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2} --------------------- Enumerating Task Scheduler jobs: FRU Task #Hewlett-Packard#hp psc 2200 series#1043622599.job --------------------- Enumerating Download Program Files: [iNotes Class] InProcServer32 = C:\WINDOWS\DOWNLO~1\inotes.dll CODEBASE = https://mservices.mckinsey.com/iNotes.cab [Downloader Class] InProcServer32 = C:\WINDOWS\Downloaded Program Files\ida.dl_ CODEBASE = http://www.shop.intuit.com/store/executables/ie/IDA.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37844.792037037 [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab --------------------- Enumerating Windows NT/2000/XP services AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) C-DillaCdaC11BA: C:\WINDOWS\System32\drivers\CDAC11BA.exe (autostart) CdaC15BA: \??\C:\WINDOWS\System32\drivers\CdaC15BA.SYS (autostart) Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Event Log: %SystemRoot%\system32\services.exe (autostart) Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) HkServer Service by KeRneL: System32\Drivers\krnlldfy.sys (autostart) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart) Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) Protected Storage: %SystemRoot%\system32\lsass.exe (autostart) Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart) System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart) SvcSrv: C:\WINDOWS\System32\prndrvgar.dll (autostart) Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Windows Time: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart) WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart) Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart) Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) --------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll --------------------- End of report, 12,126 bytes Report generated in 0.094 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

0

Hi Dale Brown, Darn, well lets try again. Could you post the HijackThis logfile instead as it is easier to look at? ------------------- Also wondering if turning off or turning on Windows XP System Restore would solve the problem. http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 System Restore, a Windows XP feature, is similar to the "Last Known Good Configuration" in Windows NT and Windows 2000. You can use System Restore to restore the computer to a previous state, using the backups that it makes of selected system files and program files. However, "Last Known Good Configuration" restores the computer back to the last state that Windows determines might work, whereas System Restore gives you a choice of previous states to restore the computer to. That is, System Restore maintains multiple restore points instead of one last restore point. While this is a desirable feature, in some cases it should be temporarily turned off. For example, if the computer is infected with a virus, then it is possible that the virus could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could restore a virus-infected file, or that the on-line scanners would detect the virus in that location. Turning off System Restore will clear out all previous restore points.

0

please look at this and tell me if there is any spyware present Logfile of HijackThis v1.96.1 Scan saved at 8:42:40 PM, on 8/20/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\CTHELPER.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\WINDOWS\System32\pctspk.exe C:\WINDOWS\System32\devldr32.exe C:\Program Files\NetZero\zCast.exe C:\Program Files\NetZero\chkras.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\unzipped\hijackthis\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp?cf=homebutton R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = netzero.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.exe O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37800.7725925926 O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{E0734A99-D482-4643-87CB-1CD9BA236B6A}: NameServer = 64.136.20.121 64.136.20.133

0

Hi frank34, You have a clean logfile :>) Mark

0

Logfile of HijackThis v1.96.1 Scan saved at 19:52:23, on 21/08/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.exe C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.exe C:\WINDOWS\EXPLORER.exe C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.exe C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.exe C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\SYSTEM\IRMON.exe C:\WINDOWS\MHOTKEY.exe C:\WINDOWS\SYSTEM\SISTRAY.exe C:\WINDOWS\SYSTEM\KHOOKER.exe C:\WINDOWS\IRXFER.exe C:\WINDOWS\SYSTEM\CHTVINIT.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\PROGRAM FILES\APOINT\APOINT.exe C:\WINDOWS\SYSTEM\SISSWLED.exe C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\PROGRAM FILES\APOINT\APWHEEL.exe C:\WINDOWS\SYSTEM\E_S10IC2.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\SPYPROTECTION\HIJACKTHIS.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [CHotKey] mHotkey.exe O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.exe O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe O4 - HKLM\..\Run: [ChrontelInitTV] CHTVINIT.exe O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe O4 - HKLM\..\Run: [SiSSWLED] C:\WINDOWS\SYSTEM\sisswled.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.exe O4 - Startup: Acrobat Assistant.lnk = ? O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Freeserve (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O12 - Plugin for .pif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com Is that clean? I've cleaned off as instructed, thanks instructors.

0

Hi Sunshine_Superman, Everything looks okay to me :>) ------------------ Is Freeserve your Internet Provider? If NOT you can fix these also. The only reason I ask is the URL http://www.freeserve.com resolves, but nothing is displayed on the page. O9 - Extra button: Freeserve (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com Do you want to keep this Start Page (Displays in "Internet Options/General/Home Page")? If you fix this entry, you will be able to change it to something else like “http://www.google.com/” for example. ------------------ Make sure you have all security updates. MSIE: Internet Explorer v6.00 - is currently at SP1 Do reboot after fixing anything with HijackThis.

0

hi i know i have problems please help me get rid of what my bro did to my computer. Logfile of HijackThis v1.96.1 Scan saved at 8:02:23 PM, on 8/20/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\System32\devldr32.exe C:\WINDOWS\System32\CTHELPER.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\ISTsvc\istsvc.exe C:\unzipped\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=129193 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=129193 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129193 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank O1 - Hosts: 193.125.201.50 msn.com O1 - Hosts: 193.125.201.50 search.msn.com O1 - Hosts: 193.125.201.50 auto.search.msn.com O1 - Hosts: 193.125.201.46 thehun.net O1 - Hosts: 193.125.201.46 www.thehun.net O1 - Hosts: 193.125.201.46 thehun.com O1 - Hosts: 193.125.201.46 www.thehun.com O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.exe -b O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.exe O4 - HKLM\..\Run: [DevconDefaultDB] C:\WINDOWS\READREG /PSCONV={NO} /NO_DEFPS O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/patch/EARTPX.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37780.3589351852 O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/patch/MaxisSimCity4PatcherX.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

0

Hi together, I also have the problem with this "hardloved" url and I can`t see it any more. Please tell me what I can do! Here is for example the adress shown in the adress bar after writing "http://www.munic-airport.de" in it: http://www.internet-optimizer.com/Help/NavigationError/?e=ERRDNS&u=http%3A//vrape.hardloved.com/top/top.php%3Fid%3D0%26search%3Dwww.munic-airport.de Thank you very much! And this is my hijackthis logfile: Logfile of HijackThis v1.96.1 Scan saved at 00:24:55, on 22.08.2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Programme\Gemeinsame Dateien\EPSON\EBAPI\SAgent2.exe C:\PROGRA~1\Iomega\System32\ActivityDisk.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\System32\Winkqo.exe C:\WINDOWS\Explorer.exe C:\HP\KBD\KBD.exe C:\Programme\Real\RealPlayer\RealPlay.exe C:\Programme\Iomega\DriveIcons\ImgIcon.exe C:\WINDOWS\System32\qttask.exe C:\PROGRA~1\0190WA~1\WARN0190.exe C:\Programme\Internet Explorer\iexplore.exe C:\Program Files\Internet Optimizer\optimize.exe C:\Dokumente und Einstellungen\B_Johann Vogt\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing) O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOKUME~1\A_MANF~1\LOKALE~1\Temp\msogpl.dll (file missing) O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem214.dll O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem212.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programme\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [RealTray] C:\Programme\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [Iomega Startup Options] C:\Programme\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Programme\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [SuperHeiss] c:\program files\dialers\superheiss\superheiss.exe /noconnect O4 - HKLM\..\Run: [KAZAA] C:\Dokumente und Einstellungen\All Users\Dokumente\Morpheus.exe /SYSTRAY O4 - HKLM\..\Run: [Super_Heiss] c:\program files\dialers\super_heiss\super_heiss.exe /noconnect O4 - HKLM\..\Run: [deupdchk] C:\WINDOWS\Dialer\_x-Finder.exe ! O4 - HKLM\..\Run: [FreeRAM XP] "C:\DOKUME~1\A_MANF~1\LOKALE~1\Temp\FreeRAM XP Pro 1.1.exe" -win O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\winv.exe O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe" O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe O4 - HKLM\..\Run: [SysPnP] rundll32 setupapi,InstallHinfSection OemVideoPnP 128 oemsyspnp.inf O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.exe O4 - HKLM\..\Run: [TeenXXX] C:\WINDOWS\Dialer\pdialer.exe !m O4 - HKCU\..\Run: [14-0-0-100[1]] c:\windows\14-0-0-100[1].exe -m O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: AOL 7.0 Tray-Symbol.lnk = C:\Programme\AOL 7.0\aoltray.exe O4 - Global Startup: Microsoft Office Shortcut-Leiste.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\neuer\Office\OSA9.exe O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra button: Recherche-Assistent (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O13 - DefaultPrefix: http://vrape.hardloved.com/top/top.php?id=0&search= O13 - WWW Prefix: http://vrape.hardloved.com/top/top.php?id=0&search= O17 - HKLM\System\CCS\Services\Tcpip\..\{5EEF43DD-1835-4A14-ABFE-05825DAE5A89}: NameServer = 62.104.191.241 62.104.196.134 O17 - HKLM\System\CS1\Services\Tcpip\..\{5EEF43DD-1835-4A14-ABFE-05825DAE5A89}: NameServer = 62.104.191.241 62.104.196.134 Thank you very much for helping!

0

HI nas22, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=129193 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=129193 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129193 O1 - Hosts: 193.125.201.50 msn.com O1 - Hosts: 193.125.201.50 search.msn.com O1 - Hosts: 193.125.201.50 auto.search.msn.com O1 - Hosts: 193.125.201.46 thehun.net O1 - Hosts: 193.125.201.46 www.thehun.net O1 - Hosts: 193.125.201.46 thehun.com O1 - Hosts: 193.125.201.46 www.thehun.com O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINDOWS\System\WinStart001.exe –b From IGetNet - turns the IE address bar into a keyword engine piped into IGetNet. In other words, with this installed, typing "car" in the IE address bar will point the browser to the Lexus web site. Foistware - installs components without your knowledge – See http://217.115.153.73/parasite/IGetNet.html O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe ISTBar foistware – See http://www.doxdesk.com/parasite/ISTbar.html After reboot then delete the following: The file WinStart001.exe at C:\WINDOWS\System\WinStart001.exe The folder ISTsvc at C:\Program Files\ISTsvc -------------- For the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

Hi John, Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766} R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (file missing) O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\DOKUME~1\A_MANF~1\LOKALE~1\Temp\msogpl.dll (file missing) O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem214.dll MoneyTree/DyFuCa - See http://www.doxdesk.com/parasite/MoneyTree.html O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem212.dll Dyfuca/Internet Optimizer - See http://www.doxdesk.com/parasite/InternetOptimizer.html O4 - HKLM\..\Run: [SuperHeiss] c:\program files\dialers\superheiss\superheiss.exe /noconnect Dialer O4 - HKLM\..\Run: [Super_Heiss] c:\program files\dialers\super_heiss\super_heiss.exe /noconnect Dialer O4 - HKLM\..\Run: [deupdchk] C:\WINDOWS\Dialer\_x-Finder.exe ! Dialer - Disconnects and redials an ISP modem to an adult content site O4 - HKLM\..\Run: [IST Service] C:\Programme\ISTsvc\istsvc.exe ISTBar foistware – See http://www.doxdesk.com/parasite/ISTbar.html O4 - HKLM\..\Run: [TeenXXX] C:\WINDOWS\Dialer\pdialer.exe !m Dialer O13 - DefaultPrefix: http://vrape.hardloved.com/top/top.php?id=0&search= O13 - WWW Prefix: http://vrape.hardloved.com/top/top.php?id=0&search= After reboot then delete the following: The folder dialers at c:\program files\dialers The folder ISTsvc at C:\Programme\ISTsvc The folder Dialer at C:\WINDOWS\Dialer I think that the string c:\program files\dialers may have been created by a Trojan. I also see you do not have a resident Anti-Virus, you should install one You may have Viruses/Trojans. Even if you installed a resident Anti-Virus program (they do have some Trojan detection) they are not in the Anti-Trojan business. I recommend either Trojanhunter or TDS-3 (both have thirty day trials) Also try an online AV scanner such as - Panda ActiveScan http://www.pandasoftware.es/activescan/activescan-com.asp - Trend Micro Housecall http://housecall.antivirus.com/ Recommend Panda ActiveScan first, Trend HouseCall second, as the two best online scans, in that order. They may detect and remove other Viruses/Trojans also. No one program finds everything. -------------- Recommend updating (and installing all security updates) the following: Platform: Windows XP is currently at SP1 MSIE: Internet Explorer is currently at v6.00 SP1 -------------- Questions on these entries: O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\winv.exe I don’t like this entry. I am not at all sure that “winv.exe” is associated with Windows Update. (Everything I find is in German, and does not translate correctly). O4 - HKLM\..\Run: [0190 Warner] C:\PROGRA~1\0190WA~1\WARN0190.exe Is this some kind of dialer prevention program? If not I would fix this also. (Everything I find is in German) O4 - HKCU\..\Run: [14-0-0-100[1]] c:\windows\14-0-0-100[1].exe -m Unknown – Do you know what this is? If not I would fix this also. (I do not find anything.) -------------- For a virually spyware free future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware. Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings. Good Luck!

0

Hello; Do I need to stop this process? Is it a trojan? Thanks. rundll32.exe irprops.cpl BluetoothAuthenticationAgent

0

hi again everyone after fixing the browser hijack problems i seem to be having a new problem, anytime i click a link, the vrape search engine is used, its not causing problems but im afraid that i may have gotten hijacked again, here is my logfile. Logfile of HijackThis v1.96.2 Scan saved at 18:49:12, on 27/08/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton Internet Security\NISUM.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Norton Internet Security\ccPxySvc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\sistray.exe C:\WINDOWS\System32\khooker.exe C:\WINDOWS\SOUNDMAN.exe C:\Program Files\Apoint2K\Apoint.exe C:\WINDOWS\LTSMMSG.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\PROGRA~1\DAP\DAP.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.exe C:\Program Files\Apoint2K\Apntex.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\GameSpy Arcade\aphex.exe C:\Program Files\Teamspeak\TeamSpeak.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ICQ\ICQ.exe C:\WINDOWS\regedit.exe C:\WINDOWS\Browser protection\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lfc.tv/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?100 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?100 (obfuscated) R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?100 (obfuscated) R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://vrape.hardloved.com/top/search.php?id=1&s= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mommykiss.com/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mommykiss.com/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alltheweb.com/search?q=%s R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/ O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\winshow.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.exe O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe O4 - HKLM\..\Run: [sys] regedit /s sys.reg O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.exe /STARTUP O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - Global Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: ICQ Pro (HKLM) O9 - Extra 'Tools' menuitem: ICQ (HKLM) O9 - Extra button: Run DAP (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: MoneySide (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O13 - DefaultPrefix: http://vrape.hardloved.com/top/search.php?id=1&s= O13 - WWW Prefix: http://vrape.hardloved.com/top/search.php?id=1&s= O17 - HKLM\System\CCS\Services\Tcpip\..\{BC8F835A-6957-4F90-8F39-69AE172BC014}: NameServer = 194.168.4.100 194.168.8.100 O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp Any help would be appreciated, thanks in advance. :) PS the MSN search engine never seems to be able to find the address i type in the address bar, again any help would be appreciated.

0