| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 76013 | 2007-01-17 21:40:00 | Help needed to remove hijacked address bar | Emsley (9394) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 517013 | 2007-01-17 21:40:00 | Hi (Thanks for replies) Below is log file after running Hijackthis. I have a very hard to rid address bar which has hijacked my system. Can someone who is knows what they are doing examine this log file and tell me what i can/should do to win my computer's heart back? Thanks Chris Logfile of HijackThis v1.99.1 Scan saved at 10:32:29 a.m., on 18/01/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\S24EvMon.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\RegSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZCfgSvc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\issearch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\McAfee\QuickClean\Plguni.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\CEZEO software\Disk Redactor\DiskRedactor.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Chris.Emsley\Local Settings\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R3 - URLSearchHook: (no name) - {20320E01-A184-976E-0770-D1C356DE6436} - syspanel.dll (file missing) R3 - URLSearchHook: (no name) - {C86DE9AF-0C2F-2F6D-3EA8-A68A7F8D433F} - atl_helper.dll (file missing) O1 - Hosts: localhost 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O2 - BHO: Zero Popup Pro - {EB23F789-F17F-4bcc-988B-6B70A3A67E9C} - C:\PROGRA~1\ZEROPO~1\ZERO-P~1.DLL O2 - BHO: (no name) - {f4d74aaa-a178-4463-846b-b4bc87a024e0} - C:\WINDOWS\system32\ixt0.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Safety Bar - {18668683-731c-48fa-b1b9-ad013748fb00} - C:\Program Files\Safety Bar\SafetyBar.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Dest068] slamm.exe O4 - HKLM\..\Run: [corrida] prgsys0984.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [atl_helper] iehelper.exe O4 - HKLM\..\Run: [FLKPT] cmon14.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [dmoxv.exe] C:\WINDOWS\system32\dmoxv.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START O4 - HKLM\..\RunServices: [IPTable Configuration] winipcfgs.exe O4 - HKLM\..\RunServices: [Microsoft--Updates] sxvhost.exe O4 - HKLM\..\RunServices: [Micro Update] dailin.exe O4 - HKLM\..\RunServices: [Microsoft IT Update] windowss.exe O4 - HKLM\..\RunServices: [Micr Update] soundblaster.exe O4 - HKLM\..\RunServices: [Microsoft Update] muamgrd.exe O4 - HKLM\..\RunServices: [System Startup] voltio.exe O4 - HKLM\..\RunServices: [System Uptime Server] sysentry.exe O4 - HKLM\..\RunServices: [Microsoft Internet Services] smss32.exe O4 - HKLM\..\RunServices: [Auto Update Client] auclt.exe O4 - HKLM\..\RunServices: [netservices] recall.exe O4 - HKLM\..\RunServices: [Microsoft Windows Dllhandler] bitpaint.exe O4 - HKLM\..\RunServices: [Microsofts media] wingtp.exe O4 - HKLM\..\RunServices: [scvhosts] scvhosts.exe O4 - HKLM\..\RunServices: [Windows Monitor] winmon.exe O4 - HKLM\..\RunServices: [Windows Update Monitoring Service] winupdt.exe O4 - HKLM\..\RunServices: [wvsvc] wvsvc.exe O4 - HKLM\..\RunServices: [Internet Services] Internet.exe O4 - HKLM\..\RunServices: [OEM32 Tools] sres32.exe O4 - HKLM\..\RunServices: [Windows logging] winlogd.exe O4 - HKLM\..\RunServices: [Microsoft Automatic Updater] Explorer.exe O4 - HKLM\..\RunServices: [Windows Update Auto Update] wuaumgr.exe O4 - HKCU\..\Run: [IPTable Configuration] winipcfgs.exe O4 - HKCU\..\Run: [Microsoft IT Update] windowss.exe O4 - HKCU\..\Run: [Micr Update] soundblaster.exe O4 - HKCU\..\Run: [System Startup] voltio.exe O4 - HKCU\..\Run: [Win32 USB2.0 Driver] w32usb2.exe O4 - HKCU\..\Run: [netservices] recall.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Windows Monitor] winmon.exe O4 - HKCU\..\Run: [wvsvc] wvsvc.exe O4 - HKCU\..\Run: [Internet Services] Internet.exe O4 - HKCU\..\Run: [OEM32 Tools] sres32.exe O4 - HKCU\..\Run: [Windows logging] winlogd.exe O4 - HKCU\..\Run: [NvCplScan] winasp.exe O4 - HKCU\..\Run: [Windows Update Auto Update] wuaumgr.exe O4 - HKCU\..\Run: [abrek] ssweeper.exe O4 - HKCU\..\Run: [XTermInit] bhoserv.exe O4 - HKCU\..\Run: [34763] sound64.exe O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe" O4 - HKCU\..\Run: [ssweeper] jopplerg.exe O4 - HKCU\..\Run: [killall] driver32.exe O4 - HKCU\..\Run: [***CTF] media64.exe O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart O4 - HKCU\..\Run: [FreeRAM XP] "C:\DOCUME~1\CHRIS~1.EMS\LOCALS~1\Temp\Temporary Directory 2 for framxpro.zip\FreeRAM XP Pro 1.40.exe" -win O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\RunServices: [Windows Monitor] winmon.exe O4 - Startup: PowerReg Scheduler.exe O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - www.musicnotes.com O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - gamingzone.ubisoft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O16 - DPF: {8E45CC42-01AF-4471-B047-2DDA750C4979} (BBWebOfficeIntegration.BBWebOfficeInt) - reweb.leprosymission.org.nz O16 - DPF: {91276C41-48A5-11D4-A6B0-00C04F29D748} (BBWebRTF.RTF) - mail.leprosymission.org.nz O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - messenger.msn.com O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlmnz.local O17 - HKLM\Software\..\Telephony: DomainName = tlmnz.local O17 - HKLM\System\CCS\Services\Tcpip\..\{13F92E94-171D-4DAD-8573-0DD93B369F74}: NameServer = 85.255.115.46,85.255.112.230 O17 - HKLM\System\CCS\Services\Tcpip\..\{5090DCC5-96AB-4A74-BE33-305F9EF5173B}: NameServer = 85.255.115.46,85.255.112.230 O17 - HKLM\System\CCS\Services\Tcpip\..\{809F70D0-9E03-46D5-B7D5-62A05F9EE7E5}: NameServer = 85.255.115.46 85.255.112.230 O17 - HKLM\System\CCS\Services\Tcpip\..\{FB1E19BD-3DB4-4DB2-97BC-C6822C18C6E5}: NameServer = 85.255.115.46,85.255.112.230 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlmnz.local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.230 O17 - HKLM\System\CS1\Services\Tcpip\..\{13F92E94-171D-4DAD-8573-0DD93B369F74}: NameServer = 85.255.115.46,85.255.112.230 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.46 85.255.112.230 O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll O21 - SSODL: eupeptic - {8670ee50-01f9-47da-ac1e-cf8549e9e521} - (no file) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe |
Emsley (9394) | ||
| 517014 | 2007-01-17 21:59:00 | There's too many entries to delete. I suggest u get trojan remover (dl.filekicker.com) from here (www.simplysup.com) Make sure trojan remover is updated. Click on update to do this. Install it run it click on scan. Delete anything it picks up. Then go to the utils menu / select the 3rd- 7th option. You're covered in trojans, and worms, and should get trojan remover, do the above and then get off the net. Until trojan remover removes / deletes the entries in startup. Most of those files running in startup belong to trojans and worms, and 1 looks like it belongs to Back Orifice which is a backdoor / remote access trojan. |
Speedy Gonzales (78) | ||
| 517015 | 2007-01-17 23:57:00 | You are in one heck of a mess . . . . here are a few more things that you will need to help you get cleaned . . . . . Download FixWareout ( . subratam . org/Fixwareout . exe" target="_blank">downloads . subratam . org) Save it to your desktop and run it . Click Next, then Install, then make sure "Run fixit" is checked and click Finish . The fix will begin; follow the prompts . You will be asked to reboot your computer; please do so . Your system may take longer than usual to load; this is normal . When your system reboots, follow the prompts . Afterwards, HijackThis will launch . Please click Scan, and check the following items: O17 - HKLM\System\CCS\Services\Tcpip\ . . \{13F92E94-171D-4DAD-8573-0DD93B369F74}: NameServer = 85 . 255 . 115 . 46,85 . 255 . 112 . 230 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{5090DCC5-96AB-4A74-BE33-305F9EF5173B}: NameServer = 85 . 255 . 115 . 46,85 . 255 . 112 . 230 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{809F70D0-9E03-46D5-B7D5-62A05F9EE7E5}: NameServer = 85 . 255 . 115 . 46 85 . 255 . 112 . 230 O17 - HKLM\System\CCS\Services\Tcpip\ . . \{FB1E19BD-3DB4-4DB2-97BC-C6822C18C6E5}: NameServer = 85 . 255 . 115 . 46,85 . 255 . 112 . 230 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlmnz . local O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85 . 255 . 115 . 46 85 . 255 . 112 . 230 O17 - HKLM\System\CS1\Services\Tcpip\ . . \{13F92E94-171D-4DAD-8573-0DD93B369F74}: NameServer = 85 . 255 . 115 . 46,85 . 255 . 112 . 230 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85 . 255 . 115 . 46 85 . 255 . 112 . 230 Should you have problems connecting to the internet after the fix, follow these instrutions . Please go to Start -> Control Panel Network Connections . Rightclick on your default connection (usually Local Area Connection or Dial-up Connection if you are using Dial-up) and leftclick on Properties . Doubleclick on the Internet Protocol (TCP/IP) item and select the button that says "Obtain DNS servers automatically" . Click OK twice, and restart your computer . ================================== Please download DrWeb-CureIt (ftp://ftp . drweb . com/pub/drweb/cureit/drweb-cureit . exe) & save it to your desktop . DO NOT perform a scan yet . Reboot your computer in "SAFE MODE ( . bleepingcomputer . com/forums/tutorial61 . html" target="_blank">www . bleepingcomputer . com)" using the F8 method . To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly . A menu will appear with several options . Use the arrow keys to navigate and select the option to run Windows in "Safe Mode" . Scan with DrWeb-CureIt as follows: Double-click on drweb-cureit . exe to start the program . An "Express Scan of your PC" notice will appear . Under "Start the Express Scan Now", Click "OK" to start . This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it . Once the short scan has finished, Click Options > Change settings Choose the "Scan tab" and UNcheck "Heuristic analysis" Back at the main window, click "Select drives" (a red dot will show which drives have been chosen) Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start . When done, a message will be displayed at the bottom advising if any viruses were found . Click "Yes to all" if it asks if you want to cure/move the file . When the scan has finished, look if you can see the icon next to the files found . If so, click it, then click the next icon right below and select "Move incurable" . (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured) Next, in the Dr . Web CureIt menu on top, click file and choose save report list . Save the DrWeb . csv report to your desktop . Exit Dr . Web Cureit when done . Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot . After reboot, post the contents of the log from Dr . Web in your next reply . (You can use Notepad to open the DrWeb . cvs report) |
Pancake (6359) | ||
| 1 | |||||