View Full Version : ran hjt can someone look plz
jvegas
05-04-2004, 01:39 PM
thanks
Logfile of HijackThis v1.97.7
Scan saved at 11:31:36 AM, on 5/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Kazaa\kazaa.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\msbb.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Omnibook\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\Internet Explorer\PLUGINS\SuperBar\SuperBar.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_22.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O3 - Toolbar: SuperBar - {FAAFB9DE-79EE-4D3B-88C0-EBF818F6128A} - C:\Program Files\Internet Explorer\PLUGINS\SuperBar\SuperBar.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [FSW] C:\Program Files\FSW\FSW.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O4 - HKLM\..\Run: [FMTH] C:\WINDOWS\FMTH.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: Win32 Classes -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
classicsoftware
05-04-2004, 02:24 PM
I am pretty new at this. But it seems you have installed Kazza and it is loaded with gackware. I would
1) Un-Install Kazaa using Kazaabegone (http://www.majorgeeks.com/download.php?det=3446)
2) Download and Install Adaware (http://www.lavasoft.de/support/download/) and Spybot Seacrh & Destroy (http://download.com.com/3000-8022-10194058.html?tag=lst-0-2). Update the definitions and scan the system. Fix what they tell you.
3) Run Hijack this and re-post your log.
Budfred
05-04-2004, 11:28 PM
You have a bit of a mess here.... Please do NOT run KazaaBegone until we clean some of this up, it could cause you to lose the ability to access webpages and email... This is because you have NewDotNet... This is considered an optional fix, but it is usually installed without your knowledge and it is very strongly recommended to remove it... Go here for instructions on how to remove it:
http://www.newdotnet.com/#remove
Even before that, you may want to download and run CWShredder, it is in my links below.... After you set it up, ask it to FIX....
Before we move on to HijackThis: To start, please extract HijackThis to a permanent folder such as C:\Documents or one you create like C:\HJT. You are running it from a temp folder which means we won't be able to restore any changes made...
After you do this, reboot and run ONLY HJT.. mark/fix these:
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\Program Files\Internet Explorer\PLUGINS\SuperBar\SuperBar.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O3 - Toolbar: SuperBar - {FAAFB9DE-79EE-4D3B-88C0-EBF818F6128A} - C:\Program Files\Internet Explorer\PLUGINS\SuperBar\SuperBar.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\systb.dll
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [FSW] C:\Program Files\FSW\FSW.EXE
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\msbb.exe
O16 - DPF: Win32 Classes -
Unless you know what this is and that it is safe, find it and check Properties to see if you can identify it. If you don't recognize it, change the extension to BAK so it won't run on reboot... We may need to delete it later, but post what you find in Properties:
O4 - HKLM\..\Run: [FMTH] C:\WINDOWS\FMTH.exe
Then reboot into Safe Mode and remove these. Check in Add/Remove Programs and remove there is you find them, otherwise just find and delete them. You may have to have WinXP set to show hidden files to find them:
C:\Program Files\DownloadWare\dw.exe (the folder)
C:\Program Files\DelFin\PromulGate\PgMonitr.exe (the folder)
C:\WINDOWS\msbb.exe
After all of this, it would be a good time to run KazaaBegone and get rid of the filth farm, unless you like dealing with this garbage anyway... You can find safer options here if you really want to do file sharing:
http://www.spywareinfo.com/articles/p2p/
After all of this, please reboot and post a fresh log so we can make sure it is all cleaned up....
jvegas
05-06-2004, 01:07 PM
heres my new scan , hows it look now budfred
Logfile of HijackThis v1.97.7
Scan saved at 12:02:04 PM, on 5/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Kazaa\kazaa.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Documents and Settings\Omnibook\Local Settings\Temp\Temporary Directory 3 for hijackthis1977.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
You still have Kazaa installed which is just an invitation for more problems. It is full of spyware and if it is removed Kazaa won't work. As Budfred said if you want to do the P2P thing use something that isn't infested.
Budfred
05-06-2004, 08:13 PM
Please tell me that you haven't run CWShredder yet.... If you have, you may have one of the new variants and that is much harder to remove. If you haven't, please do it now... If it still doesn't clean out most of the mess, reboot to Safe Mode and run it from there. Be sure to select FIX each time you run it, do NOT simply scan with it....
Also, I agree with Erik, classicsoftware and myself... Kazaa is a plague carrier, if you keep it all the cleanup you are doing now will need to be repeated many times and the new garbage to clean up is getting harder and harder....
You are still running HJT from a Temp folder and this means you may not be able to restore if it becomes necessary....
jvegas
05-11-2004, 12:46 PM
here is another run with my laptab online
Logfile of HijackThis v1.97.7
Scan saved at 11:39:37 AM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Omnibook\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Budfred
05-12-2004, 01:26 AM
You still didn't say if you ran CWShredder... You have a CWS infection and we need to know if you ran the tool to figure out the next step... Please provide detail about what you have or haven't done...
jvegas
05-12-2004, 12:59 PM
I've never ran CWS I just got rid of
C:\Program Files\DownloadWare\dw.exe (the folder)
C:\Program Files\DelFin\PromulGate\PgMonitr.exe (the folder)
C:\WINDOWS\msbb.exe
in safe mode , should I run HJT again and post it?
classicsoftware
05-12-2004, 01:02 PM
YES
Steve
05-12-2004, 03:19 PM
jvegas,
Please download and run CWShredder (http://www.net-integration.net/tools/hijackthis.html#cwshredder) letting it fix all that it finds.
Reboot and post a follow-up log.
Budfred
05-12-2004, 07:55 PM
You are heavily infested with CWS and there is absolutely NO POINT in posting a fresh HJT log if you are not going to do as asked to fix the problem. Removing items with HJT while you still have CWS installed is useless.... If you want help with this, you need to use the tools as asked...
jvegas
05-13-2004, 01:14 PM
here a new print of CWS and HJT!!
CWShredder v1.57.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Omnibook\Application Data
Username: Omnibook
Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (2694 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (444 bytes, A)
- END OF REPORT -
Logfile of HijackThis v1.97.7
Scan saved at 11:51:13 AM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Omnibook\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Budfred
05-13-2004, 11:16 PM
Your log is looking clean, is your system running okay??
It appears that you are not running any security software... If that is true, it is very likely that you will get infected again in the near future... I recommend that you get some installed, there are good free versions of each type of program available... Here is my standard security speech:
This is a good time to set up protection against further attacks. You need an antivirus that is updated, a good firewall and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
jvegas
05-14-2004, 03:18 PM
Yeah!! it look much better. Thanks a lot
I appreciate the time you took.
jvegas
05-23-2004, 12:14 PM
I know this one seems to worse!
Logfile of HijackThis v1.97.7
Scan saved at 11:07:40 AM, on 5/23/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SYSCFG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\WINDOWSUPD4.EXE
C:\PROGRAM FILES\COMET SYSTEMS\DM\BIN\DMSERVER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\JUANO\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.103.153.158
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hispeed.rogers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL (file missing)
O2 - BHO: (no name) - {40AC4D2D-491D-11D4-AAF2-0008C75DCD2B} - C:\WINDOWS\BPBOH.DLL
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL (file missing)
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\PROGRAM FILES\XUPITER\XTUPDATE.DLL (file missing)
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.3.9.0\HBHOSTIE.DLL (file missing)
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\PROGRAM FILES\COMET SYSTEMS\PLATFORM\BIN\CSBHO.DLL (file missing)
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_22.dll
O2 - BHO: (no name) - {44AFD83A-C2A9-1D8C-0EFF-D19AF08ADCB2} - C:\PROGRAM FILES\DEFAULTLESS\MPEG BAIT.DLL
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\PROGRAM FILES\HOTBAR\BIN\4.3.9.0\HBHOSTIE.DLL (file missing)
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Starware - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\PROGRAM FILES\COMET SYSTEMS\PLATFORM\BIN\CSIETB.DLL
O3 - Toolbar: First for great - {76AD293D-A08E-E848-AD24-5B0F5512214B} - C:\PROGRAM FILES\DEFAULTLESS\MPEG BAIT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [Configuration Loader] syscfg32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD4.EXE
O4 - HKLM\..\Run: [Hotbar] C:\PROGRAM FILES\HOTBAR\BIN\4.3.9.0\HBINST.EXE /Upgrade
O4 - HKLM\..\Run: [BJ_UIC] C:\WINDOWS\SYSTEM\BJ_UIC.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WINDOWSUPD4.EXE
O4 - HKLM\..\Run: [defycreative] C:\PROGRA~1\EGGSOO~1\Errordeadbyte.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\BIN\DMSERVER.EXE /onreboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Configuration Loader] syscfg32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: QFNLink.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\pptico.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://hispeed.rogers.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8D55E65E-FE01-11D0-9AF5-00805FD9AB07} (QFNLinkCtrl Class) - file://C:\WINDOWS\OPTIONS\CABS\CONTENT\QUICKEN\qfnlink.oc x
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab
O16 - DPF: {3C5BA506-6C30-4738-9CED-797ACADEA8DC} (Loader Class) - http://www.sqwire.com/toolbar/SQLoader.cab
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://directplugin.com/tl4000.dll
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_inst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
jvegas
05-23-2004, 12:16 PM
I meant "computer at HOME"
classicsoftware
05-23-2004, 01:01 PM
This is really a mess, you have comet cursor, SDBot Syscfg32.exe Trojan, some kind of searching malware,newdotnet and I'm sure a host of other baddies.
I guess the best thing to do is to remove newdotnet first by following the sinstructions on their web page click here (http://www.newdotnet.com/),\. Removing newdotnet any other wasy can result in NO internet access.
Then
post a log back here to make sure newdotnet is gone. Once someonehere has confirmed it is gone, we can proceed with pahse 2.
1) Download, install and update Spybot. (http://download.com.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button)
2) Download, install and update Adaware. (http://download.com.com/3000-8022-10214379.html?tag=lst-0-2)
3) Create a folder called HJT.
4) Download and install HijackThis (http://download.com.com/3000-8022-10227352.html?tag=lst-0-4) in the HJT folder.
5) Run Spybot and fix everything it finds
6) Shutdown your computer. Full shutdown DO NOT re-start.
7) Run Adaware and fix everything it finds.
8) Shutdown your computer. Full Shutdown DO NOT re-start.
9) Run an on line scan from Trend Micro (http://housecall.trendmicro.com/) and or Bitdefender. (http://www.bitdefender.com/scan/licence.php)
10) Run HijackThis from HJT folder. Do not run it from the TEMP or Temporary Internet Files folder as you will be unable to restore the backups created by HJT. After the scan is complete create a log file. DO NOT fix anything unless instructed to by an expert here.
11) RE-Post the contents of the log and the results from the previous scans back here for evaluation.
vBulletin v3.6.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.