Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

MSN Keeps Hijackin' My Homepage


  • This topic is locked This topic is locked
24 replies to this topic

#1 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 02 February 2006 - 05:32 PM

Hi All,

I've gotten great help here in the past (I think Micah was the main source of help but others pitched in). Anyway, here's the problem. I got a new computer that came with XP/SP2 which I hated. I put on the XP/SP1 that I have always used but now things are quite buggy. I really don't want to reinstall XP since I have just gotten mostly everything back on.

Main symptoms are:

1) Even though I have repeatedly changed my homepage (tools/internet options/general/address/use current) to yahoo.com or cnn.com it keeps going back to MSN.com.

2) My background keeps going to a solid blue color instead of the wallpaper I have assigned in ultramon and then comfirmed in desktop properties.

3) Fonts keep changing all around - mainly the caption button which in turn is making the icons in my system tray grotesquely large and fuzzy.

I have run Panda scan, Bitdefender, Microtrend, Spysweep, Ad-aware, Xoftspy & Spybot and nothing but little stuff (cookies) are found.

Here is my hijack log.........if anyone can help me I would appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 6:19:06 PM, on 2/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
D:\GRAMZ\HIJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FLYIN HIGH
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\Program Files\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.bugmenot.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

    Advertisements

Register to Remove


#2 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 03 February 2006 - 01:22 PM

Click here >>>> http://www.downloads...org/KillBox.zip to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\system32\paytime.exe

Click 'Exit' when done.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

Tyhen reboot to normal Mode. make sure that everyting is enabled in msconfig. Scan with hijackthis and post the new log by clicking on "add reply" at the bottom right.

#3 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 03 February 2006 - 02:40 PM

Hey Siggyx I got killbox and copied and pasted C:\WINDOWS\system32\paytime.exe into the path as you said and it came up saying THIS FILE DOES NOT SEEM TO EXIST. I didn't do the rest (reboot while making sure everything in msconfig is working) or deleteing the 2 files in Hijackthis scan because of the above message. Should I do those anyway?

#4 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 03 February 2006 - 02:47 PM

Yes please do, then make sure that you reboot, also make sure that everything is enabled in msconfig and then scan and post a new hijackthis log.

#5 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 03 February 2006 - 03:20 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:19:16 PM, on 2/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
D:\GRAMZ\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FLYIN HIGH
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\Program Files\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.bugmenot.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

#6 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 03 February 2006 - 03:23 PM

Click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report along with a new HijackThis Log in your next reply.

#7 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 03 February 2006 - 03:50 PM

Here are the results of the Panda Scan and the new Hijackthis log:

Panda:

Incident Status Location

Adware:adware/beehappyy Not disinfected C:\WINDOWS\SYSTEM32\z11.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Adware:adware/cws Not disinfected
C:\Documents and Settings\Sunny\Favorites\Fun & Games


Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:46:27 PM, on 2/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\GRAMZ\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FLYIN HIGH
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\Program Files\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.bugmenot.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

#8 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 03 February 2006 - 10:24 PM

Please follow the steps in the link below to run about:buster

http://www.besttechi...?showtopic=1488

post the logs and a new hijackthis log please

#9 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 04 February 2006 - 07:45 AM

Ok, I'm feeling like a jerk right now. I downloaded the program, extracted it and ran the scan. I got a run time error but it said scan was completed sucessfully. Then nothing happened. I didn't get a dialog box with any tabs - nothing that had the word protection or firefox - nothing!

#10 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 04 February 2006 - 08:05 AM

Ok, nevermind the previous message. I figured it out. Here are the Logs:

AboutBuster 6.0
Scan started on [2/4/2006] at [8:54:07 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
No Ads Found!
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 8:54:09 AM



Logfile of HijackThis v1.99.1
Scan saved at 9:03:02 AM, on 2/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
D:\GRAMZ\HIJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.globaledg...ault.php?Enter= CLICK YES TO ENTER WEBSITE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FLYIN HIGH
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\Program Files\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LXBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.bugmenot.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

    Advertisements

Register to Remove


#11 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 04 February 2006 - 09:25 PM

Step # 1

Please download and run CWShredder. Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

http://www.majorgeek...7fd6b3ff02edc90

REBOOT

Step #2

Please download and run Spybot 1.4 & AdAware SE Then follow the instructions in the link below to run.

Spybot & Adaware Tutorial

REBOOT

Step # 3

Then do a virus scan here >>> Trend Micro

Step # 4

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

#12 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 February 2006 - 10:14 AM

I was up late working on your instructions. Got to Trend-Micro and got hung up for quite awhile. Nothing was going on with the scan and I figured maybe it was my Firefox settings (having never really used it before, I figured I had done something wrong). Got frustrated and went to bed figuring I would try it in the morning. Have been working on it for quiete some time. Even tried using IE to no avail. I keep getting the same message: HouseCall unfortunately does not support multibyte character sets yet. Please come back for updates. I've tried to figure this out but no luck. I also want to let you know that I have run Trend-Micro many times in the past with no problem!

Edited by marcworthy, 05 February 2006 - 10:35 AM.


#13 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 05 February 2006 - 10:58 AM

Click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report along with a new HijackThis Log in your next reply.

#14 marcworthy

marcworthy

    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 05 February 2006 - 11:27 AM

Active Scan Results:


Incident Status Location

Adware:adware/beehappyy Not disinfected C:\WINDOWS\SYSTEM32\z11.exe
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Adware:adware/cws Not disinfected C:\Documents and Settings\Sunny\Favorites\Fun & Games
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\d86h3x1b.default\cookies.txt[.ask.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\d86h3x1b.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\d86h3x1b.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Sunny\Application Data\Mozilla\Firefox\Profiles\d86h3x1b.default\cookies.txt[]


Logfile of HijackThis v1.99.1
Scan saved at 12:24:26 PM, on 2/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lexmark 6200 Series\lxbumon.exe
C:\Program Files\Lexmark 6200 Series\ezprint.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lxbucoms.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\GRAMZ\HIJACK\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = FLYIN HIGH
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\Program Files\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [lxbumon.exe] "C:\Program Files\Lexmark 6200 Series\lxbumon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 6200 Series\ezprint.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O15 - Trusted Zone: http://*.bugmenot.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbucoms.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe

#15 Siggyx

Siggyx

    SuperHelper

  • Authentic Member
  • PipPipPipPipPipPip
  • 6,776 posts

Posted 05 February 2006 - 12:26 PM

Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\SYSTEM32\z11.exe


Then reboot and a new hijackthis log please.

Related Topics



1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users