Jump to content


Photo

Think I have a worm


  • Please log in to reply
11 replies to this topic

#1 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 04 July 2004 - 10:52 AM

hELLO,
I only just got internet explorer to work again after a long battle with my computer however it starts with a search 200 thing and i try to get rid of it in hijack this and it comes back instantly please help me cleanse my system. Thank you in advance!!


Logfile of HijackThis v1.97.7
Scan saved at 16:43:12, on 04/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\VetMsgNT.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
C:\PROGRA~1\PLANSI~1\glueonce.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Program Files\Sky Alerts\skinkers.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\INCRED~1\bin\INCMAIL.EXE
C:\PROGRA~1\INCRED~1\bin\IMAPP.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Scotty B\My Documents\Anti Hack software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...er=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.zestyfind.com/
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
O4 - HKLM\..\Run: [Chic long] C:\PROGRA~1\PLANSI~1\glueonce.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [SkySportsCluster] C:\Program Files\Sky Alerts\skinkers.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180soluti...seInstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8172.3164351852
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CBE9ACC-382D-4547-9B3A-5E26F49C2086}: NameServer = 194.72.9.38 194.74.65.68

#2 thesh

thesh

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 07 July 2004 - 05:21 PM

this is bad

O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll

this is what your internet is routing though, I would download The internet fix I posted and then download Hi-jack this and remove those 4 things listed for starters, If the internet stops working after that run the Internet fix, after you do all that download Adaware 6 and update and scan the system, the downlaod Avast Home and do a boot time scan, then download Cwshredder to fix the 200 problem, then everything should be pretty cleaned up, If you have any other problems just post them.



Internet Fix XP/2000/ME/98
Avast Home
Adaware 6

Edited by dave38, 07 July 2004 - 06:25 PM.


#3 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 07 July 2004 - 05:29 PM

gary_stanley_uk,

Please ignore the advice from theshit... it is incorrect and will likely cause you to lose your ability to access email and the internet... Please wait for assistance from someone who is qualified to help...

theshit,

You need to check your PMs as soon as possible...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#4 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 07 July 2004 - 05:31 PM

DO NOT FOLLOW thesh's advice.
You will probably lose your internet connection if you do!

EDIT: Sorry Budfred, you beat me to it. Ididn't see you there.

Edited by Trilobite, 07 July 2004 - 09:39 PM.


#5 thesh

thesh

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 07 July 2004 - 05:44 PM

yes more than likely you will lose you Internet connection but some times Hijack this fixes the problem, thats why I posted The Internet fix to fix that problem, I have done this many times on over 100 computers maybe more, If you do not want to take my advice that fine, this is all I do all day long is remove spyware and adware and fix customers computers,Iv been doing this since spyware and adware started to show up on computer systems, I get paid to do this, ITS MY JOB. All I want is to help other people with there problems, If they follow my Instructions Exactly then there wont be a problem. If I didnt know what I was doing I wouldnt be getting Paid to do it.

Edited by dave38, 07 July 2004 - 06:02 PM.


#6 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 07 July 2004 - 05:51 PM

gary_stanley_uk,

I am sorry you are having to deal with this squabble... If you fix those items with HJT, you will almost certainly lose your ability to access websites and you will make doing the proper fix more difficult... Please do not act on this bad advice....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#7 thesh

thesh

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 07 July 2004 - 05:54 PM

What is the proper fix, may I ask.

#8 gary_stanley_uk

gary_stanley_uk

    Member

  • Full Member
  • Pip
  • 31 posts

Posted 07 July 2004 - 05:54 PM

thanks I will wait for some expert advice then! Thanks.

#9 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 07 July 2004 - 06:09 PM

Hi gary_stanley_uk,

You have a few things going on here.....

First, go here and download this program called CWShredder. Unzip the .exe to your desktop. Then, make sure ALL windows are closed and run CWShredder.exe and click Fix (not scan).

Next, run hijackthis again, click Scan. Check the boxes next to these entries. Then close all windows except HijackThis. Tell HijackThis to 'Fix checked'.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com...er=6&ar=msnhome
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180soluti...seInstaller.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab


Reboot your computer.

Now, lets get rid of those lines that are causing those O10 entries. True, they are bad, but as Budfred pointed out, fixing them with hijackthis would have severed your internet connection. So we'll remove them this way.

Go here and download this tool called Vx2Finder. Save it to your desktop, run it and click the Click to find Vx2/BetterInternet button, then click Make Log. Copy that log and a new hijackthis log back into this thread.

#10 sardak

sardak

    I know everything.

  • Full Member
  • Pip
  • 14 posts

Posted 08 July 2004 - 12:12 PM

Well, luckily they're using Windows XP, so even after removing the LSPs, it's simply a matter of running

netsh interface ip reset reset.log

to reset the TCP/IP stack and Winsock settings to restore internet connectivity.

#11 thesh

thesh

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 08 July 2004 - 12:48 PM

thats what my internet fix does and more check it out OSC
Internet Fix
it also works on 98/ME also

Edited by thesh, 08 July 2004 - 12:54 PM.


#12 OSC

OSC

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 397 posts

Posted 08 July 2004 - 01:16 PM

Hi thesh,

That's nice, thesh, but your missing the point here. Fixing those O10 entries will not get rid of the main culprit, in this case, Look2Me. Any why fix them with hijackthis when the user will have to go and download yet another utility to fix the problem?? We try and fix people's computers with the least amount of steps possible. Fixing those entries with hijackthis creates more steps and adds aggrevation to the mix once the computer loses internet connectivity.

sardak, using that command will fix the problem, but most users won't even know that command exists; or how to use it (where to put it in).

The point is fixing those lines with hijackthis is not a solution. It only creates more work for the people helping and the user, who is already frustrated about pop-ups, hijacks, etc.

I'd be happy to discuss this with you, but this thread is not the place. I'm sure your utility works just fine and will be a nice option to lspfix and/or the command sardak pointed out. Feel free to join our chat room (chat.spywareinfo.com) or PM me if you'd like to continue this. The only requests I'll be responding to in this thread are ones from gary_stanley_uk. Thanks for your understanding.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button