Jump to content


Photo

HiJack This Log


  • This topic is locked This topic is locked
8 replies to this topic

#1 gualmonte

gualmonte

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 May 2004 - 12:35 PM

I hope you can help me.
Thank you!



---------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 19.15.53, on 20/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\FILE COMUNI\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMMI\WINAMP\WINAMPA.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Programmi\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAMMI\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAMMI\PINNACLE\SHARED FILES\PROGRAMS\PCLESCHEDULER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.newsexgate.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotf...count_id=145872
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotf...count_id=145872
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=145872
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O1 - Hosts: 66.159.20.80 www1.ndhosting.com
O1 - Hosts: 66.159.20.80 www3.ndhosting.com
O1 - Hosts: 66.159.20.80 www2.ndhosting.com
O1 - Hosts: 66.159.20.80 www.ndhosting.com
O1 - Hosts: 66.159.20.80 www.kinghost.com
O1 - Hosts: 66.159.20.80 kinghost.com
O1 - Hosts: 66.159.20.80 www1.kinghost.com
O1 - Hosts: 66.159.20.80 www2.kinghost.com
O1 - Hosts: 66.159.20.80 www3.kinghost.com
O1 - Hosts: 66.159.20.80 www4.kinghost.com
O1 - Hosts: 66.159.20.80 www5.kinghost.com
O1 - Hosts: 66.159.20.80 www6.kinghost.com
O1 - Hosts: 66.159.20.80 www7.kinghost.com
O1 - Hosts: 66.159.20.80 www8.kinghost.com
O1 - Hosts: 66.159.20.80 www9.kinghost.com
O1 - Hosts: 66.159.20.80 www10.kinghost.com
O1 - Hosts: 66.159.20.80 www.smutserver.com
O1 - Hosts: 66.159.20.80 smutserver.com
O1 - Hosts: 66.159.20.80 www1.smutserver.com
O1 - Hosts: 66.159.20.80 www2.smutserver.com
O1 - Hosts: 66.159.20.80 www16.smutserver.com
O1 - Hosts: 66.159.20.80 www3.smutserver.com
O1 - Hosts: 66.159.20.80 www4.smutserver.com
O1 - Hosts: 66.159.20.80 www5.smutserver.com
O1 - Hosts: 66.159.20.80 www6.smutserver.com
O1 - Hosts: 66.159.20.80 www7.smutserver.com
O1 - Hosts: 66.159.20.80 www8.smutserver.com
O1 - Hosts: 66.159.20.80 www9.smutserver.com
O1 - Hosts: 66.159.20.80 www10.smutserver.com
O1 - Hosts: 66.159.20.80 www11.smutserver.com
O1 - Hosts: 66.159.20.80 www12.smutserver.com
O1 - Hosts: 66.159.20.80 www13.smutserver.com
O1 - Hosts: 66.159.20.80 www14.smutserver.com
O1 - Hosts: 66.159.20.80 www15.smutserver.com
O1 - Hosts: 66.159.20.80 www17.smutserver.com
O1 - Hosts: 66.159.20.80 www18.smutserver.com
O1 - Hosts: 66.159.20.80 www19.smutserver.com
O1 - Hosts: 66.159.20.80 www20.smutserver.com
O1 - Hosts: 66.159.20.80 www21.smutserver.com
O1 - Hosts: 66.159.20.80 www22.smutserver.com
O1 - Hosts: 66.159.20.80 www23.smutserver.com
O1 - Hosts: 66.159.20.80 www24.smutserver.com
O1 - Hosts: 66.159.20.80 www25.smutserver.com
O1 - Hosts: 66.159.20.80 www26.smutserver.com
O1 - Hosts: 66.159.20.80 www27.smutserver.com
O1 - Hosts: 66.159.20.80 www28.smutserver.com
O1 - Hosts: 66.159.20.80 www29.smutserver.com
O1 - Hosts: 66.159.20.80 www30.smutserver.com
O1 - Hosts: 66.159.20.80 www31.smutserver.com
O1 - Hosts: 66.159.20.80 www32.smutserver.com
O1 - Hosts: 66.159.20.80 agreathost.net
O1 - Hosts: 66.159.20.80 www.agreathost.net
O1 - Hosts: 66.159.20.80 hotfreehost.com
O1 - Hosts: 66.159.20.80 www.hotfreehost.com
O1 - Hosts: 66.159.20.80 greatfreehost.com
O1 - Hosts: 66.159.20.80 www.greatfreehost.com
O1 - Hosts: 66.159.20.80 freesmutpages.com
O1 - Hosts: 66.159.20.80 www.freesmutpages.com
O1 - Hosts: 66.159.20.80 apornhost.com
O1 - Hosts: 66.159.20.80 www.apornhost.com
O1 - Hosts: 66.159.20.80 nasty-pages.com
O1 - Hosts: 66.159.20.80 www.nasty-pages.com
O1 - Hosts: 66.159.20.80 sexyfreehost.com
O1 - Hosts: 66.159.20.80 www.sexyfreehost.com
O1 - Hosts: 66.159.20.80 x4web.com
O1 - Hosts: 66.159.20.80 www.x4web.com
O1 - Hosts: 66.159.20.80 sexplanets.com
O1 - Hosts: 66.159.20.80 www.sexplanets.com
O1 - Hosts: 66.159.20.80 maxismut.com
O1 - Hosts: 66.159.20.80 www.maxismut.com
O1 - Hosts: 66.159.20.80 tgpfriendly.com
O1 - Hosts: 66.159.20.80 www.tgpfriendly.com
O1 - Hosts: 66.159.20.80 tgp-server.com
O1 - Hosts: 66.159.20.80 www.tgp-server.com
O1 - Hosts: 66.159.20.80 magnaplza.com
O1 - Hosts: 66.159.20.80 www.magnaplza.com
O1 - Hosts: 66.159.20.80 free-xxx-server.com
O1 - Hosts: 66.159.20.80 www.free-xxx-server.com
O1 - Hosts: 66.159.20.80 libereco.net
O1 - Hosts: 66.159.20.80 www.libereco.net
O1 - Hosts: 66.159.20.80 0190-dialer.com
O1 - Hosts: 66.159.20.80 www.0190-dialer.com
O1 - Hosts: 66.159.20.80 xxxod.net
O1 - Hosts: 66.159.20.80 www.xxxod.net
O1 - Hosts: 66.159.20.80 altsights.com
O1 - Hosts: 66.159.20.80 www.altsights.com
O1 - Hosts: 66.159.20.80 adulthosting.com
O1 - Hosts: 66.159.20.80 www.adulthosting.com
O1 - Hosts: 66.159.20.80 superhova.com
O1 - Hosts: 66.159.20.80 www.superhova.com
O1 - Hosts: 66.159.20.80 bestpornhost.com
O1 - Hosts: 66.159.20.80 www.bestpornhost.com
O1 - Hosts: 66.159.20.80 hostingfree.com
O1 - Hosts: 66.159.20.80 www.hostingfree.com
O1 - Hosts: 66.159.20.80 xfreehosting.com
O1 - Hosts: 66.159.20.80 www.xfreehosting.com
O1 - Hosts: 66.159.20.80 blinghosting.com
O1 - Hosts: 66.159.20.80 www.blinghosting.com
O1 - Hosts: 66.159.20.80 x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 www.x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 pornparks.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAMMI\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /startup /scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [xch] C:\WINDOWS\xch.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Programmi\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\PROGRAMMI\PEERGUARDIAN PR14\PEERGUARDIAN_1.99B_PR14.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - HKLM\..\RunOnce: [MPE0] "C:\Programmi\Norton SystemWorks\Norton CleanSweep\csinsm32.exe" -s "C:\Programmi\Norton SystemWorks\Norton CleanSweep\IM007712.CIL" rundll32.exe streamci,StreamingDeviceSetup {8E60217D-A2EE-47f8-B0C5-0F44C55F66DC},GLOBAL,{FD0A5AF4-B41D-11d2-9C95-00C04F7971E0},C:\WINDOWS\INF\mpe.inf,BDAcodec
O4 - HKCU\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\PROGRAMMI\ISTBAR\ISTBAR.DLL"
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Programmi\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Programmi\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Pinnacle PCTV Scheduler.lnk = C:\Programmi\Pinnacle\Shared Files\Programs\PCLEScheduler.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Programmi\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 20 May 2004 - 12:53 PM

You have a CWS infection.

Please download CWShredder from the link in my signature, then save it to the desktop. Close all programs and run it. Click "Fix" and let it remove what it wants to.

Reboot.

Scan with HJT again and post the new log.
Signature file is under revision. This will be back shortly.

#3 gualmonte

gualmonte

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 May 2004 - 02:12 PM

I really appreciate your help.
This is the new HJT log:


Logfile of HijackThis v1.97.7
Scan saved at 21.14.16, on 20/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\FILE COMUNI\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMMI\WINAMP\WINAMPA.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAMMI\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAMMI\PINNACLE\SHARED FILES\PROGRAMS\PCLESCHEDULER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O1 - Hosts: 66.159.20.80 agreathost.net
O1 - Hosts: 66.159.20.80 www.agreathost.net
O1 - Hosts: 66.159.20.80 hotfreehost.com
O1 - Hosts: 66.159.20.80 www.hotfreehost.com
O1 - Hosts: 66.159.20.80 greatfreehost.com
O1 - Hosts: 66.159.20.80 www.greatfreehost.com
O1 - Hosts: 66.159.20.80 freesmutpages.com
O1 - Hosts: 66.159.20.80 www.freesmutpages.com
O1 - Hosts: 66.159.20.80 apornhost.com
O1 - Hosts: 66.159.20.80 www.apornhost.com
O1 - Hosts: 66.159.20.80 nasty-pages.com
O1 - Hosts: 66.159.20.80 www.nasty-pages.com
O1 - Hosts: 66.159.20.80 sexyfreehost.com
O1 - Hosts: 66.159.20.80 www.sexyfreehost.com
O1 - Hosts: 66.159.20.80 x4web.com
O1 - Hosts: 66.159.20.80 www.x4web.com
O1 - Hosts: 66.159.20.80 sexplanets.com
O1 - Hosts: 66.159.20.80 www.sexplanets.com
O1 - Hosts: 66.159.20.80 maxismut.com
O1 - Hosts: 66.159.20.80 www.maxismut.com
O1 - Hosts: 66.159.20.80 tgpfriendly.com
O1 - Hosts: 66.159.20.80 www.tgpfriendly.com
O1 - Hosts: 66.159.20.80 tgp-server.com
O1 - Hosts: 66.159.20.80 www.tgp-server.com
O1 - Hosts: 66.159.20.80 magnaplza.com
O1 - Hosts: 66.159.20.80 www.magnaplza.com
O1 - Hosts: 66.159.20.80 free-xxx-server.com
O1 - Hosts: 66.159.20.80 www.free-xxx-server.com
O1 - Hosts: 66.159.20.80 libereco.net
O1 - Hosts: 66.159.20.80 www.libereco.net
O1 - Hosts: 66.159.20.80 0190-dialer.com
O1 - Hosts: 66.159.20.80 www.0190-dialer.com
O1 - Hosts: 66.159.20.80 xxxod.net
O1 - Hosts: 66.159.20.80 www.xxxod.net
O1 - Hosts: 66.159.20.80 altsights.com
O1 - Hosts: 66.159.20.80 www.altsights.com
O1 - Hosts: 66.159.20.80 adulthosting.com
O1 - Hosts: 66.159.20.80 www.adulthosting.com
O1 - Hosts: 66.159.20.80 superhova.com
O1 - Hosts: 66.159.20.80 www.superhova.com
O1 - Hosts: 66.159.20.80 bestpornhost.com
O1 - Hosts: 66.159.20.80 www.bestpornhost.com
O1 - Hosts: 66.159.20.80 hostingfree.com
O1 - Hosts: 66.159.20.80 www.hostingfree.com
O1 - Hosts: 66.159.20.80 xfreehosting.com
O1 - Hosts: 66.159.20.80 www.xfreehosting.com
O1 - Hosts: 66.159.20.80 x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 www.x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 pornparks.com
O1 - Hosts: 66.159.20.80 www.pornparks.com
O1 - Hosts: 66.159.20.80 sexls.com
O1 - Hosts: 66.159.20.80 www.sexls.com
O1 - Hosts: 66.159.20.80 royalfreehost.com
O1 - Hosts: 66.159.20.80 www.royalfreehost.com
O1 - Hosts: 66.159.20.80 pleasuremedia.com
O1 - Hosts: 66.159.20.80 www.pleasuremedia.com
O1 - Hosts: 66.159.20.80 www.mtree.com
O1 - Hosts: 66.159.20.80 mtree.com
O1 - Hosts: 66.159.20.80 www.dialacom.com
O1 - Hosts: 66.159.20.80 dialacom.com
O1 - Hosts: 66.159.20.80 nocreditcard.com
O1 - Hosts: 66.159.20.80 www.nocreditcard.com
O1 - Hosts: 66.159.20.80 movies-etc.com
O1 - Hosts: 66.159.20.80 www.movies-etc.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAMMI\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /startup /scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [xch] C:\WINDOWS\xch.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Programmi\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\PROGRAMMI\PEERGUARDIAN PR14\PEERGUARDIAN_1.99B_PR14.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - HKLM\..\RunOnce: [MPE0] "C:\Programmi\Norton SystemWorks\Norton CleanSweep\csinsm32.exe" -s "C:\Programmi\Norton SystemWorks\Norton CleanSweep\IM007712.CIL" rundll32.exe streamci,StreamingDeviceSetup {8E60217D-A2EE-47f8-B0C5-0F44C55F66DC},GLOBAL,{FD0A5AF4-B41D-11d2-9C95-00C04F7971E0},C:\WINDOWS\INF\mpe.inf,BDAcodec
O4 - HKCU\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\PROGRAMMI\ISTBAR\ISTBAR.DLL"
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Programmi\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Programmi\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Pinnacle PCTV Scheduler.lnk = C:\Programmi\Pinnacle\Shared Files\Programs\PCLEScheduler.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Programmi\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

#4 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 20 May 2004 - 02:24 PM

Close all programs, tick the following for removal in HJT, then click "Fix Checked:"

O1 - Hosts: 66.159.20.80 agreathost.net
O1 - Hosts: 66.159.20.80 www.agreathost.net
O1 - Hosts: 66.159.20.80 hotfreehost.com
O1 - Hosts: 66.159.20.80 www.hotfreehost.com
O1 - Hosts: 66.159.20.80 greatfreehost.com
O1 - Hosts: 66.159.20.80 www.greatfreehost.com
O1 - Hosts: 66.159.20.80 freesmutpages.com
O1 - Hosts: 66.159.20.80 www.freesmutpages.com
O1 - Hosts: 66.159.20.80 apornhost.com
O1 - Hosts: 66.159.20.80 www.apornhost.com
O1 - Hosts: 66.159.20.80 nasty-pages.com
O1 - Hosts: 66.159.20.80 www.nasty-pages.com
O1 - Hosts: 66.159.20.80 sexyfreehost.com
O1 - Hosts: 66.159.20.80 www.sexyfreehost.com
O1 - Hosts: 66.159.20.80 x4web.com
O1 - Hosts: 66.159.20.80 www.x4web.com
O1 - Hosts: 66.159.20.80 sexplanets.com
O1 - Hosts: 66.159.20.80 www.sexplanets.com
O1 - Hosts: 66.159.20.80 maxismut.com
O1 - Hosts: 66.159.20.80 www.maxismut.com
O1 - Hosts: 66.159.20.80 tgpfriendly.com
O1 - Hosts: 66.159.20.80 www.tgpfriendly.com
O1 - Hosts: 66.159.20.80 tgp-server.com
O1 - Hosts: 66.159.20.80 www.tgp-server.com
O1 - Hosts: 66.159.20.80 magnaplza.com
O1 - Hosts: 66.159.20.80 www.magnaplza.com
O1 - Hosts: 66.159.20.80 free-xxx-server.com
O1 - Hosts: 66.159.20.80 www.free-xxx-server.com
O1 - Hosts: 66.159.20.80 libereco.net
O1 - Hosts: 66.159.20.80 www.libereco.net
O1 - Hosts: 66.159.20.80 0190-dialer.com
O1 - Hosts: 66.159.20.80 www.0190-dialer.com
O1 - Hosts: 66.159.20.80 xxxod.net
O1 - Hosts: 66.159.20.80 www.xxxod.net
O1 - Hosts: 66.159.20.80 altsights.com
O1 - Hosts: 66.159.20.80 www.altsights.com
O1 - Hosts: 66.159.20.80 adulthosting.com
O1 - Hosts: 66.159.20.80 www.adulthosting.com
O1 - Hosts: 66.159.20.80 superhova.com
O1 - Hosts: 66.159.20.80 www.superhova.com
O1 - Hosts: 66.159.20.80 bestpornhost.com
O1 - Hosts: 66.159.20.80 www.bestpornhost.com
O1 - Hosts: 66.159.20.80 hostingfree.com
O1 - Hosts: 66.159.20.80 www.hostingfree.com
O1 - Hosts: 66.159.20.80 xfreehosting.com
O1 - Hosts: 66.159.20.80 www.xfreehosting.com
O1 - Hosts: 66.159.20.80 x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 www.x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 pornparks.com
O1 - Hosts: 66.159.20.80 www.pornparks.com
O1 - Hosts: 66.159.20.80 sexls.com
O1 - Hosts: 66.159.20.80 www.sexls.com
O1 - Hosts: 66.159.20.80 royalfreehost.com
O1 - Hosts: 66.159.20.80 www.royalfreehost.com
O1 - Hosts: 66.159.20.80 pleasuremedia.com
O1 - Hosts: 66.159.20.80 www.pleasuremedia.com
O1 - Hosts: 66.159.20.80 www.mtree.com
O1 - Hosts: 66.159.20.80 mtree.com
O1 - Hosts: 66.159.20.80 www.dialacom.com
O1 - Hosts: 66.159.20.80 dialacom.com
O1 - Hosts: 66.159.20.80 nocreditcard.com
O1 - Hosts: 66.159.20.80 www.nocreditcard.com
O1 - Hosts: 66.159.20.80 movies-etc.com
O1 - Hosts: 66.159.20.80 www.movies-etc.com

O4 - HKLM\..\Run: [xch] C:\WINDOWS\xch.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - HKCU\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\PROGRAMMI\ISTBAR\ISTBAR.DLL"

Reboot.

Find and delete the following files/folders:

C:\PROGRAMMI\ISTBAR\
C:\WINDOWS\SYSTEM\msmc.exe
C:\WINDOWS\System\explorer.exe
C:\WINDOWS\xch.exe

Scan with HijackThis again and post the new log.
Signature file is under revision. This will be back shortly.

#5 gualmonte

gualmonte

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 May 2004 - 03:07 PM

Hello.
Just a few things:

I didn't find O4 - HKCU\..\RunOnce: [DeleteISTbar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\PROGRAMMI\ISTBAR\ISTBAR.DLL, so i couldn't tick it.

Then, I also couldn't find the following folders/files for removal:
C:\WINDOWS\SYSTEM\msmc.exe
C:\WINDOWS\System\explorer.exe
C:\WINDOWS\xch.exe

But I guess it's ok.

Last question: In my desktop, there are now a lot of backup files, can I delete them (for example: backup-20040520-215110-695)?

This is the new log:



#####################################





Logfile of HijackThis v1.97.7
Scan saved at 22.04.38, on 20/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMMI\FILE COMUNI\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMMI\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMI\FILE COMUNI\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAMMI\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\PROGRAMMI\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAMMI\PINNACLE\SHARED FILES\PROGRAMS\PCLESCHEDULER.EXE
C:\Programmi\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMI\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAMMI\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRAMMI\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\QDCSFS.exe /startup /scheduler
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmi\File comuni\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Programmi\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Programmi\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\PROGRAMMI\PEERGUARDIAN PR14\PEERGUARDIAN_1.99B_PR14.exe
O4 - HKLM\..\RunOnce: [MPE0] "C:\Programmi\Norton SystemWorks\Norton CleanSweep\csinsm32.exe" -s "C:\Programmi\Norton SystemWorks\Norton CleanSweep\IM007712.CIL" rundll32.exe streamci,StreamingDeviceSetup {8E60217D-A2EE-47f8-B0C5-0F44C55F66DC},GLOBAL,{FD0A5AF4-B41D-11d2-9C95-00C04F7971E0},C:\WINDOWS\INF\mpe.inf,BDAcodec
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Programmi\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Programmi\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: Pinnacle PCTV Scheduler.lnk = C:\Programmi\Pinnacle\Shared Files\Programs\PCLEScheduler.exe
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Programmi\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

#6 gualmonte

gualmonte

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 May 2004 - 03:51 PM

Sorry if I move up this post, but i'd like to solve my problem :)

#7 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,757 posts

Posted 20 May 2004 - 04:39 PM

Yes, you can delete the backups.

You're clean.

Clear your Temporary Internet Files immediately. To do this, go to the Internet Controls control panel, then click "Delete Files." Tick the checkbox there, then click "OK.'

You may wish to look at Mozilla Firefox instead of IE. It has no security holes, doesn't integrate into the Windows shell (which is a bad thing due to the shell's control over the system), doesn't download anything without your approval, and doesn't get hijacked.

It also takes up less resources and uses tabs or new windows (tabs save desktop and taskbar space and make closing windows easier). It also comes with a built-in popup blocker as well as the ability to block images from servers (i.e. advertisements) with a right-click.

Firefox is immune to CWS in all its forms. You will _never_ get hijacked by CWS or any of its affiliates ever again if you use Firefox.

There's a link to it in my signature.

IE-SPYAD places over 4,000 known evil sites into the Restricted Sites zone in Internet Explorer so they can't execute ActiveX, Java, or place cookies on your machine. It's a rather nice thing to have. There's a link to it in my signature.

SpywareBlaster can prevent spyware from installing itself on your computer. It does require updating every now and again, but it's rather easy to operate. Just install, run, update, click "Protect," and you're done. Update once every month or so. There's a link in my signature.

Happy computing, and don't forget to use Windows Update once a week!
Signature file is under revision. This will be back shortly.

#8 gualmonte

gualmonte

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 20 May 2004 - 04:54 PM

thank you very much.

#9 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 20 May 2004 - 05:27 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button