4 replies to this topic

[Happy]

Help... please... GACK!!!

Logfile of HijackThis v1.99.1
Scan saved at 10:48:57 AM, on 2/22/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\SYSWB6.exe
C:\Program Files\Network\ipnetwork.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\AOL\1128097648\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128097648\ee\AOLServiceHost.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://discover.jdbyrider.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 WWW.SafeWeb.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128097648\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [freestyle] lockx.exe
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [{1C-CE-E4-4F-ZN}] c:\windows\system32\rodsregk.exe FI002
O4 - HKLM\..\Run: [IpNetwork] C:\Program Files\Network\ipnetwork.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [freestyle] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-62-602-0000156.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\pwinpsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://discover/secu...les/ScriptX.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://webmail.jdbyr...com/iNotes6.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B56FB37D-73C6-47CF-B923-B5ABF37CB458}: Domain = jdbyrider.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = jdbyrider.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = jdbyrider.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = jdbyrider.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

[Susan528]

Hello Happy and welcome to TomCoyote.

I am sorry to inform you that you have a bad infection on your system which is indicated by the presence of this file.
O4 - HKCU\..\Run: [freestyle] lockx.exe

http://securityrespo...2.loxbot.a.html

lockx.exe is a process which is registered as the W32/Sdbot-ADD worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

I urge you to protect your personal information. If you use this system for any financial transactions, go to your bank or credit card company etc and alert them to your situation. Change all that information so that others do not have access to your accounts and do not use this system for any transactions until you are clean.

You may want to format and reinstall the operating system. In your shoes, I would do that.

"The type of Hijacker that took over your system, can leave hidden files deep in your system directory, that we are unable to find with any currently available methods. This makes it impossible for us to guarantee that we have removed every hidden bad file that has been sending your private information out to the Internet.

There remains a possibility that the hijacker still has enough info on your PC to continue its nasty work after we pronounce your computer 'clean'.
Because of this, we now recommend that you backup your Documents, Favorites and other text files to a removable drive and then format your computer and reinstall the Operating System.

The safety of the files that you backup also cannot be guaranteed, but the likelihood of them being infected is low. Best practices would be to start totally new but that often is not acceptable to our users, and therefore we leave the decision up to you, the user, whether to format and reinstall everything. To start you will need the disks for your OS and/or an intact Recovery Partition with the Recovery Tools CD."

Please let us know if you intend to format and install or to take chances with cleaning up your computer.

Here is some information for you to read and review.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

Edited by Siggyx, 06 March 2006 - 06:36 PM.

[Happy]

GASP!!! Well, I suppose I'm doing as well as anyone who was just told that he's got terminal cancer (computer terminal, that is). I sincerely appreciate your advice. I'm choosing the format and reinstall option, all the while, hoping for the best. Signing off now... Ideally, I'll be back to repost a fresh HJT log to get your opinion on my re-installed status. Thank you, again. Happy

[Susan528]

Hello happy,

If you have access to free computer support from your manufacturer, I would recommend using it. They may also have a website which will include documentation for your model of computer.

Microsoft has provided following link that may help with locating manufacturer computer support.
http://support.micro...;en-us;oemphone

If you are unable to find information, Wng_z3r0, a very respected member here at Tom Coyote and other forums, has created a wonderful tutorial which can be found here:
http://spyware-free....rials/reformat/

Please let us know if we can be of further assistance and I know Wng_z3r0 would be glad to help if you have any questions pertaining to his tutorial.


Regards,
Susan

[Susan528]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php