• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
duff man

help our homepage

2 posts in this topic

:wtf: Logfile of HijackThis v1.97.7

Scan saved at 11:20:00 PM, on 28/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\CTSVCCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\ofps.exe

C:\SUPERVOC\PROGRAM\PICPMON.EXE

C:\WINDOWS\System32\tcpsvcs.exe

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\msrb32.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\Program Files\Winamp\Winampa.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\mfcnt32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\ShareDLL\MediaDet.exe

C:\Program Files\Common Files\efax\HotTray.exe

C:\Program Files\Iomega\Iomega Backup\dtsc.exe

C:\Program Files\Common Files\efax\Dllcmd32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\eliza\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

C:\Documents and Settings\eliza\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zxzbb.dll/sp.html#37680

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzbb.dll/index.html#37680

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzbb.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zxzbb.dll/sp.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zxzbb.dll/index.html#37680

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zxzbb.dll/sp.html#37680

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {CA536228-5961-D1A0-FEFF-CF26224A6BFA} - C:\WINDOWS\appyk.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe

O4 - HKLM\..\Run: [mfcnt32.exe] C:\WINDOWS\system32\mfcnt32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe

O4 - Global Startup: IDETool.lnk = C:\Program Files\IDETOOL\IDETOOL.EXE

O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtsc.exe

O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: Net2Phone (HKLM)

O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.spywarestormer.com/files2/Install.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8165.3017708333

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hello duff man

 

Spyware Stormer is a ripoff antispyware program. It produces false positives used as goad to purchase. Removal is recommended. There are two legitimate programs that are much better and both are FREE (Adaware and Spybot Search & Destroy) See here:

Rogue/Suspect Anti-Spyware Products & Web Sites

http://www.spywarewarrior.com/rogue_anti-spyware.htm

 

First, Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

 

Next, we need to update your HijackThis tool. Open HijackThis.exe and press *config* {bottom right corner} and then press *Misc. Tools* at the top. Next press *check for online update* and you should see version 1.98.0 available. Download that.

 

P.S. If you have any problems getting the update. Simply delete your old version of HijackThis and download the new version from this link.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

 

1. If you do not have Adaware already installed and updated (version 6.181, reference file #01R325.27.06.2004 or higher, please do that now but don't scan yet as we will do that in safe mode.

 

Download Adaware (get the free edition)

http://www.lavasoft.de/software/adaware/

(choose download from the lefthand menu)

 

Go to: Select Full Install and choose the download location of your choice (1.7mb)

Choose Download from

http://fileforum.betanews.com/detail.php3?fid=965718306 <--(I found FileForum easiest)

 

Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

 

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # : 01R325 27.06.2004 or higher listed.

 

In Ad-aware click the Gear Icon at the top of the screen.

 

The following items should be on a green check, not on a red X.

 

Under the Scanning button:

 

Scan within archives

 

Under Memory & Registry, Check EVERYTHING

 

In Check Drives & Folders, make sure all of your hard drives are selected

 

Under the Advanced button, check ALL under Log detail level (this makes it easier for visitors to the Lavasoft Support Forums to see what options you have selected should you require assistance.)

 

Under the Tweak button...

 

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

 

In Scanning Engine:

 

Unload recognized processes during scanning

 

Include info about ignored objects in logfile, if detected in scan

 

Include basic Ad-aware settings in logfile

 

Include additional Ad-aware settings in logfile

 

Include used command line parameters in logfile

 

In Cleaning Engine:

 

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

 

Let Windows remove files in use at next reboot

 

UNCHECK: Automatically try to unregister objects prior to deletion

 

Click Proceed to save these settings.

 

2. Print out these instructions so you have them handy as some of the steps need to be done in safe mode and you may not be able to go online.

 

3. Make sure your PC is configured to show hidden files

 

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"

Click "Apply" then "OK"

 

4. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

 

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

 

5. Reboot to Safe Mode

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

6. Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zxzbb.dll/sp.html#37680

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzbb.dll/index.html#37680

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zxzbb.dll/index.html#37680

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\zxzbb.dll/sp.html#37680

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zxzbb.dll/index.html#37680

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\zxzbb.dll/sp.html#37680

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

 

O2 - BHO: (no name) - {CA536228-5961-D1A0-FEFF-CF26224A6BFA} - C:\WINDOWS\appyk.dll

 

and delete the following files if present.

 

C:\WINDOWS\system32\msrb32.exe

 

C:\WINDOWS\system32\mfcnt32.exe

 

C:\WINDOWS\System32\ofps.exe

 

C:\WINDOWS\system32\zxzbb.dll

 

C:\WINDOWS\appyk.dll

 

 

7. Go to Start->Run and type Regedit then click Ok. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

and highlight Services in the left pane. In the right pane, look for any of these entries:

 

__NS_Service

__NS_Service_2

__NS_Service_3

 

If any are listed, right-click that entry in the right pane and choose Delete.

 

Again in Regedit, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root and highlight Root in the Left Pane. In the right pane, look for these entries (the number at the end should correspond to the first one you deleted above):

 

LEGACY___NS_Service

LEGACY___NS_Service_2

LEGACY___NS_Service_3

 

If you find it, right-click it in the right-pane and choose delete.

 

8. Scan with Adaware and let it remove any bad files found.

 

9. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

10. Reboot to normal mode, scan again with Hijack This and post a new log here.

 

11. NOTE:Two, possibly 3, files were also deleted from your computer and need to be replaced.

 

Control.exe

hosts (with no extension)

SDHelper.dll (if you are using Spybot Search & Destroy)

 

If control. exe is missing

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

 

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip

Press 'Restore Original Hosts' and press 'OK'

Exit Program.

Note: if you were using a custom Hosts file you will need to replace any of those entries yourself

 

If you have Spybot S&D installed and SDHelper.dll is missing, replace it here:

URL=http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper]http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper[/url] and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

........................................................

12. Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.

 

13. Finally, do an online scan at the following site. Let it remove any infected files found.

Trend Micro (PC-cillin) - Free on-line Scan

http://housecall.antivirus.com

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0