• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
rickiedee

got rid of hackerdefender

16 posts in this topic

I followed the steps in a post to find certain files on my harddrive in safe mode, delete them and delete all entries in my registry and i think i have got rid of the damn trojan once and for all! but, certain pages still are directed to outhost.info but show up as "page cannot be displayed" for some reason...so, maybe this hijackthis log can help someone in helping me fix this problem...

 

Logfile of HijackThis v1.97.7

Scan saved at 1:55:47 AM, on 26/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\WINDOWS\system32\cvpss.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Zero Knowledge\Freedom\PrtlAgt.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Soulseek\slsk.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Pat\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hkbono.outhost.info/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hkbono.outhost.info/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hkbono.outhost.info/sp.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hkbono.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hkbono.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hkbono.outhost.info/sp.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

O1 - Hosts: 213.159.118.228 collections.inhost.info

O1 - Hosts: 213.159.118.228 collections.inhost2.info

O1 - Hosts: 213.159.118.228 1-se.com

O1 - Hosts: 213.159.118.228 58q.com

O1 - Hosts: 213.159.118.228 aifind.cc

O1 - Hosts: 213.159.118.228 aifind.info

O1 - Hosts: 213.159.118.228 allneedsearch.com

O1 - Hosts: 213.159.118.228 approvedlinks.com

O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com

O1 - Hosts: 213.159.118.228 awebfind.biz

O1 - Hosts: 213.159.118.228 best.royalsearch.net

O1 - Hosts: 213.159.118.228 cracks.am

O1 - Hosts: 213.159.118.228 default-homepage-network.com

O1 - Hosts: 213.159.118.228 find.microgirls.com

O1 - Hosts: 213.159.118.228 find4u.net

O1 - Hosts: 213.159.118.228 freshvideogals.com

O1 - Hosts: 213.159.118.228 i-lookup.com

O1 - Hosts: 213.159.118.228 ie-search.com

O1 - Hosts: 213.159.118.228 in.webcounter.cc

O1 - Hosts: 213.159.118.228 itseasy.us

O1 - Hosts: 213.159.118.228 just.find-itnow.com

O1 - Hosts: 213.159.118.228 link.startmake.com

O1 - Hosts: 213.159.118.228 mysearchnow.com

O1 - Hosts: 213.159.118.228 nativehardcore.com

O1 - Hosts: 213.159.118.228 qwertysearch123.biz

O1 - Hosts: 213.159.118.228 search.ieplugin.com

O1 - Hosts: 213.159.118.228 search.psn.cn

O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com

O1 - Hosts: 213.159.118.228 searchcentrix.com

O1 - Hosts: 213.159.118.228 searchmyrequest.com

O1 - Hosts: 213.159.118.228 super-spider.com

O1 - Hosts: 213.159.118.228 t.rack.cc

O1 - Hosts: 213.159.118.228 teen-biz.com

O1 - Hosts: 213.159.118.228 teenhqpics.com

O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net

O1 - Hosts: 213.159.118.228 webcoolsearch.com

O1 - Hosts: 213.159.118.228 wmmse.com

O1 - Hosts: 213.159.118.228 www.008i.com

O1 - Hosts: 213.159.118.228 www.2fastsearch.net

O1 - Hosts: 213.159.118.228 www.8095.com

O1 - Hosts: 213.159.118.228 www.alfa-search.com

O1 - Hosts: 213.159.118.228 www.boredlife.com

O1 - Hosts: 213.159.118.228 www.couldnotfind.com

O1 - Hosts: 213.159.118.228 www.cracks.am

O1 - Hosts: 213.159.118.228 www.daum.net

O1 - Hosts: 213.159.118.228 www.dreamwiz.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find4u.net

O1 - Hosts: 213.159.118.228 www.firstbookmark.com

O1 - Hosts: 213.159.118.228 www.gajai.com

O1 - Hosts: 213.159.118.228 www.hand-book.com

O1 - Hosts: 213.159.118.228 www.hao123.com

O1 - Hosts: 213.159.118.228 www.hotsearchbox.com

O1 - Hosts: 213.159.118.228 www.hotwebsearch.com

O1 - Hosts: 213.159.118.228 www.hugesearch.net

O1 - Hosts: 213.159.118.228 www.iquicksearch.com

O1 - Hosts: 213.159.118.228 www.lookfor.cc

O1 - Hosts: 213.159.118.228 www.maxxxhosters.com

O1 - Hosts: 213.159.118.228 www.naver.com

O1 - Hosts: 213.159.118.228 www.nkvd.us

O1 - Hosts: 213.159.118.228 www.novafuck.com

O1 - Hosts: 213.159.118.228 www.ohcorea.com

O1 - Hosts: 213.159.118.228 www.omega-search.com

O1 - Hosts: 213.159.118.228 www.onet.pl

O1 - Hosts: 213.159.118.228 www.power-search.info

O1 - Hosts: 213.159.118.228 www.rightfinder.net

O1 - Hosts: 213.159.118.228 www.search-1.net

O1 - Hosts: 213.159.118.228 www.search-and-go.com

O1 - Hosts: 213.159.118.228 www.search-dot.com

O1 - Hosts: 213.159.118.228 www.search-space.com

O1 - Hosts: 213.159.118.228 www.searchforge.com

O1 - Hosts: 213.159.118.228 www.searching-the-net.com

O1 - Hosts: 213.159.118.228 www.searchv.com

O1 - Hosts: 213.159.118.228 www.searchxl.com

O1 - Hosts: 213.159.118.228 www.seznam.cz

O1 - Hosts: 213.159.118.228 www.slotch.com

O1 - Hosts: 213.159.118.228 www.spidersearch.com

O1 - Hosts: 213.159.118.228 www.startium.com

O1 - Hosts: 213.159.118.228 www.therealsearch.com

O1 - Hosts: 213.159.118.228 www.ttjj.com

O1 - Hosts: 213.159.118.228 www.viewpornkey.com

O1 - Hosts: 213.159.118.228 www.wazzupnet.com

O1 - Hosts: 213.159.118.228 www.websearch.com

O1 - Hosts: 213.159.118.228 www.windowws.cc

O1 - Hosts: 213.159.118.228 www.xgmm.com

O1 - Hosts: 213.159.118.228 xwebsearch.biz

O1 - Hosts: 213.159.118.228 yourbookmarks.ws

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll

O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [mywebclilent] C:\Program Files\fadshop.net\MywebClient.exe -minimize

O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

O4 - HKCU\..\Run: [nconn32] C:\WINDOWS\System32\nconn32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Natural Reader (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Nocs Bar (HKLM)

O9 - Extra 'Tools' menuitem: Nocs Bar (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgrooves.com/nsv/nsvplayx_vp6_mp3.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://64.7.220.98/downloads/UGO20.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: Domain = sympatico.ca

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: NameServer = 192.168.2.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

O19 - User stylesheet: C:\WINDOWS\system32\nqfmqu.72x

 

thanx a lot.

Share this post


Link to post
Share on other sites

I had the same problem you do. I managed to get rid of hackerdefender but something was still blocking certain pages saying cannot be displayed. I downloaded Spybot S & D just to see if it would help any and it did. Whatever it was Spybot zapped it and now everthing is back to the way it used to be before I obtained this nasty trojan. Hope it helps you too.

Share this post


Link to post
Share on other sites

Glad it all worked out rickiedee. Getting rid of hacker defender was the key and I have to thank Winhelp2002 for his fix on this. I have been clean since May 18th thanks to him.

Share this post


Link to post
Share on other sites

well i think i still may have a problem here, my msn ul/dl speeds are still crappy, which went down when i started to have this problem so heres my new hijakcthis log if anyone can tell me wut to get rid of...

 

Logfile of HijackThis v1.97.7

Scan saved at 11:29:18 AM, on 27/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Tiny Personal Firewall\persfw.exe

C:\WINDOWS\system32\cvpss.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Zero Knowledge\Freedom\PrtlAgt.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Pat\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hkbono.outhost.info/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hkbono.outhost.info/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hkbono.outhost.info/sp.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hkbono.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hkbono.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hkbono.outhost.info/sp.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

O1 - Hosts: 213.159.118.228 collections.inhost.info

O1 - Hosts: 213.159.118.228 collections.inhost2.info

O1 - Hosts: 213.159.118.228 1-se.com

O1 - Hosts: 213.159.118.228 58q.com

O1 - Hosts: 213.159.118.228 aifind.cc

O1 - Hosts: 213.159.118.228 aifind.info

O1 - Hosts: 213.159.118.228 allneedsearch.com

O1 - Hosts: 213.159.118.228 approvedlinks.com

O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com

O1 - Hosts: 213.159.118.228 awebfind.biz

O1 - Hosts: 213.159.118.228 best.royalsearch.net

O1 - Hosts: 213.159.118.228 cracks.am

O1 - Hosts: 213.159.118.228 default-homepage-network.com

O1 - Hosts: 213.159.118.228 find.microgirls.com

O1 - Hosts: 213.159.118.228 find4u.net

O1 - Hosts: 213.159.118.228 freshvideogals.com

O1 - Hosts: 213.159.118.228 i-lookup.com

O1 - Hosts: 213.159.118.228 ie-search.com

O1 - Hosts: 213.159.118.228 in.webcounter.cc

O1 - Hosts: 213.159.118.228 itseasy.us

O1 - Hosts: 213.159.118.228 just.find-itnow.com

O1 - Hosts: 213.159.118.228 link.startmake.com

O1 - Hosts: 213.159.118.228 mysearchnow.com

O1 - Hosts: 213.159.118.228 nativehardcore.com

O1 - Hosts: 213.159.118.228 qwertysearch123.biz

O1 - Hosts: 213.159.118.228 search.ieplugin.com

O1 - Hosts: 213.159.118.228 search.psn.cn

O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com

O1 - Hosts: 213.159.118.228 searchcentrix.com

O1 - Hosts: 213.159.118.228 searchmyrequest.com

O1 - Hosts: 213.159.118.228 super-spider.com

O1 - Hosts: 213.159.118.228 t.rack.cc

O1 - Hosts: 213.159.118.228 teen-biz.com

O1 - Hosts: 213.159.118.228 teenhqpics.com

O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net

O1 - Hosts: 213.159.118.228 webcoolsearch.com

O1 - Hosts: 213.159.118.228 wmmse.com

O1 - Hosts: 213.159.118.228 www.008i.com

O1 - Hosts: 213.159.118.228 www.2fastsearch.net

O1 - Hosts: 213.159.118.228 www.8095.com

O1 - Hosts: 213.159.118.228 www.alfa-search.com

O1 - Hosts: 213.159.118.228 www.boredlife.com

O1 - Hosts: 213.159.118.228 www.couldnotfind.com

O1 - Hosts: 213.159.118.228 www.cracks.am

O1 - Hosts: 213.159.118.228 www.daum.net

O1 - Hosts: 213.159.118.228 www.dreamwiz.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find4u.net

O1 - Hosts: 213.159.118.228 www.firstbookmark.com

O1 - Hosts: 213.159.118.228 www.gajai.com

O1 - Hosts: 213.159.118.228 www.hand-book.com

O1 - Hosts: 213.159.118.228 www.hao123.com

O1 - Hosts: 213.159.118.228 www.hotsearchbox.com

O1 - Hosts: 213.159.118.228 www.hotwebsearch.com

O1 - Hosts: 213.159.118.228 www.hugesearch.net

O1 - Hosts: 213.159.118.228 www.iquicksearch.com

O1 - Hosts: 213.159.118.228 www.lookfor.cc

O1 - Hosts: 213.159.118.228 www.maxxxhosters.com

O1 - Hosts: 213.159.118.228 www.naver.com

O1 - Hosts: 213.159.118.228 www.nkvd.us

O1 - Hosts: 213.159.118.228 www.novafuck.com

O1 - Hosts: 213.159.118.228 www.ohcorea.com

O1 - Hosts: 213.159.118.228 www.omega-search.com

O1 - Hosts: 213.159.118.228 www.onet.pl

O1 - Hosts: 213.159.118.228 www.power-search.info

O1 - Hosts: 213.159.118.228 www.rightfinder.net

O1 - Hosts: 213.159.118.228 www.search-1.net

O1 - Hosts: 213.159.118.228 www.search-and-go.com

O1 - Hosts: 213.159.118.228 www.search-dot.com

O1 - Hosts: 213.159.118.228 www.search-space.com

O1 - Hosts: 213.159.118.228 www.searchforge.com

O1 - Hosts: 213.159.118.228 www.searching-the-net.com

O1 - Hosts: 213.159.118.228 www.searchv.com

O1 - Hosts: 213.159.118.228 www.searchxl.com

O1 - Hosts: 213.159.118.228 www.seznam.cz

O1 - Hosts: 213.159.118.228 www.slotch.com

O1 - Hosts: 213.159.118.228 www.spidersearch.com

O1 - Hosts: 213.159.118.228 www.startium.com

O1 - Hosts: 213.159.118.228 www.therealsearch.com

O1 - Hosts: 213.159.118.228 www.ttjj.com

O1 - Hosts: 213.159.118.228 www.viewpornkey.com

O1 - Hosts: 213.159.118.228 www.wazzupnet.com

O1 - Hosts: 213.159.118.228 www.websearch.com

O1 - Hosts: 213.159.118.228 www.windowws.cc

O1 - Hosts: 213.159.118.228 www.xgmm.com

O1 - Hosts: 213.159.118.228 xwebsearch.biz

O1 - Hosts: 213.159.118.228 yourbookmarks.ws

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll

O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [mywebclilent] C:\Program Files\fadshop.net\MywebClient.exe -minimize

O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

O4 - HKCU\..\Run: [nconn32] C:\WINDOWS\System32\nconn32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Natural Reader (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Nocs Bar (HKLM)

O9 - Extra 'Tools' menuitem: Nocs Bar (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgrooves.com/nsv/nsvplayx_vp6_mp3.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: Domain = sympatico.ca

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: NameServer = 192.168.2.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

Share this post


Link to post
Share on other sites

Hi,

Looks like you have "multiple" infections!

 

Well let's attack HACKERDEFENDER first ...

 

Start | Run (type) cmd (click Ok)

From The "Command Prompt" (type)

 

NET STOP HACKERDEFENDER100 (press Enter)

 

Note: (that's) NET<space>STOP<space>HACKERDEFENDER100

 

If successful you should see: (wait 30 sec.)

 

"The service is not responding to the control function."

 

 

See if "winunins.ini" exists and open in Notepad

Paste the contents of "winunins.ini".

Share this post


Link to post
Share on other sites

when i typed that in it gave me this msg

 

"system error 1060 has occured"

 

"the specified service does not exist as an installed service"

 

and also i could not find winunins.ini anywhere on my harddrive. i guess when i deleted it it wuz gone for good! but before i looked for winunins.ini when i still was infected hardcore and all it said in the file was:

 

exit

echo off

Share this post


Link to post
Share on other sites

Here is my winunins.ini:

 

[Hidden Table]

inatjoy.dll

motkrtin.dll

witadr.dll

winunins.exe

winunins.ini

svhost.exe

CWShredder*

HijackThis*

ProceXP*

Spybot*

msconfig*

 

[Root Processes]

svhost.exe

trj4j6js.exe

winunins.exe

 

[Hidden Services]

HackerDefender*

 

[Hidden RegKeys]

HackerDefender100

LEGACY_HACKERDEFENDER100

HackerDefenderDrv100

LEGACY_HACKERDEFENDERDRV100

 

[Hidden RegValues]

 

[startup Run]

C:\WINDOWS\svhost.exe -sr -0

 

[Free Space]

 

[Hidden Ports]

 

[settings]

Password=qweqwe

BackdoorShell=ddd.exe

FileMappingName=_.-=[PokuS]=-._

ServiceName=HackerDefender100

ServiceDisplayName=Windows System Uninstaller

ServiceDescription=Microsoft System Service

DriverName=HackerDefenderDrv100

DriverFileName=hxdefdrv.sys

 

[Comments]

 

What should I do?

Share this post


Link to post
Share on other sites
Here is my winunins.ini:

 

[Hidden Table]

inatjoy.dll

motkrtin.dll

witadr.dll

winunins.exe

winunins.ini

svhost.exe

CWShredder*

HijackThis*

ProceXP*

Spybot*

msconfig*

 

[Root Processes]

svhost.exe

trj4j6js.exe

winunins.exe

 

[Hidden Services]

HackerDefender*

 

[Hidden RegKeys]

HackerDefender100

LEGACY_HACKERDEFENDER100

HackerDefenderDrv100

LEGACY_HACKERDEFENDERDRV100

 

[Hidden RegValues]

 

[startup Run]

C:\WINDOWS\svhost.exe -sr -0

 

[Free Space]

 

[Hidden Ports]

 

[settings]

Password=qweqwe

BackdoorShell=ddd.exe

FileMappingName=_.-=[PokuS]=-._

ServiceName=HackerDefender100

ServiceDisplayName=Windows System Uninstaller

ServiceDescription=Microsoft System Service

DriverName=HackerDefenderDrv100

DriverFileName=hxdefdrv.sys

 

[Comments]

 

What should I do?

make your own topic!

Share this post


Link to post
Share on other sites

rickiedee,

Download CWShredder

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Unzip but don't run it yet ...

 

1) Restart in Safe Mode (see "How To:" below)

2) Enable Hidden Files (see "How To:" below)

 

Locate and delete the following:

 

C:\WINDOWS\system32\cvpss.exe <--this file

Microsoft32.exe <--this file

 

While still in Safe Mode:

Close all open windows, rescan with HijackThis and "Fix checked" the following:

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hkbono.outhost.info/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://hkbono.outhost.info/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hkbono.outhost.info/sp.php

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hkbono.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hkbono.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hkbono.outhost.info/sp.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R3 - Default URLSearchHook is missing

 

O1 - Hosts: 213.159.118.228 <--all these entries

 

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

 

Restart normally and then ...

 

Important!

Your system is severly out of date!

Visit Windows Update and install all the "Critical Updates"

http://v4.windowsupdate.microsoft.com/en/default.asp

 

After the above post a fresh log ...

Share this post


Link to post
Share on other sites

I fixed it. I deleted all registry entries which had in their name string "HackerDefender" and deleted all files which were somehow connected with it. Now all works fine!

 

Even if there is some file left, it will do nothing harmfull.

Share this post


Link to post
Share on other sites

done and done... heres the new log

 

Logfile of HijackThis v1.97.7

Scan saved at 7:03:23 PM, on 27/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Tiny Personal Firewall\persfw.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Zero Knowledge\Freedom\PrtlAgt.exe

C:\Documents and Settings\Pat\My Documents\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll

O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [mywebclilent] C:\Program Files\fadshop.net\MywebClient.exe -minimize

O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

O4 - HKCU\..\Run: [nconn32] C:\WINDOWS\System32\nconn32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Natural Reader (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Nocs Bar (HKLM)

O9 - Extra 'Tools' menuitem: Nocs Bar (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgrooves.com/nsv/nsvplayx_vp6_mp3.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: Domain = sympatico.ca

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: NameServer = 192.168.2.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

Share this post


Link to post
Share on other sites

Hi,

Is this something you installed? It's highly suspect! (Chinese domain)

 

O4 - HKCU\..\Run: [mywebclilent] C:\Program Files\fadshop.net\MywebClient.exe -minimize

 

If not remove it ...

 

1) Restart in Safe Mode (see "How To:" below)

2) Enable Hidden Files (see "How To:" below)

 

Locate and delete the following:

 

C:\Program Files\fadshop.net <--this folder

C:\WINDOWS\System32\nconn32.exe <--this file

 

While still in Safe Mode:

Close all open windows, rescan with HijackThis and "Fix checked" the following:

 

O4 - HKCU\..\Run: [mywebclilent] C:\Program Files\fadshop.net\MywebClient.exe -minimize

O4 - HKCU\..\Run: [nconn32] C:\WINDOWS\System32\nconn32.exe

 

Restart normally and revisit Windows Update and finish installing all the Critical Updates. Otherwise your system is wide open to all these new type exploits!

 

After the above post a fresh log ...

Share this post


Link to post
Share on other sites

i did wut u said and i could not find either file on my harddrive nor were they anywhere to be found in my hijackthis log! but heres the log after i rebooted into normal mode:

 

Logfile of HijackThis v1.97.7

Scan saved at 11:41:09 PM, on 27/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Tiny Personal Firewall\persfw.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Pat\My Documents\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll

O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [mywebclilent] C:\Program Files\fadshop.net\MywebClient.exe -minimize

O4 - HKCU\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe

O4 - HKCU\..\Run: [nconn32] C:\WINDOWS\System32\nconn32.exe

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\Natural Voice Reader Standard\read.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Natural Reader (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Nocs Bar (HKLM)

O9 - Extra 'Tools' menuitem: Nocs Bar (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgrooves.com/nsv/nsvplayx_vp6_mp3.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: Domain = sympatico.ca

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: NameServer = 192.168.2.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{288DBB11-69B8-4890-955E-1360C6363963}: NameServer = 206.47.244.111 206.47.244.136

Share this post


Link to post
Share on other sites

Hi,

i could not find either file on my harddrive

Are you sure you have "Hidden Files Enabled"?

 

Ok, try this:

Bring up the Task Manager (Ctrl-Alt-Del)

Is "nconn32.exe" listed (running)?

 

If so, "End Task" on that entry, then see if you can delete it.

 

Otherwise we'll have to do this the hard way ...

 

Start | Run (type) regedit

Click Edit (up top), select: Find

(enter) fadshop.net, click Find Now

 

For each instance found (if any) click Registry (up top)

Select: Export, enter a filename, (fadshop1) click Save

Next, press F3 to continue searching, repeat the Export steps

Note: for each instance change the filename (fadshop2, fadshop2) etc.

Continue until you see the Finished Searching message.

 

Next do the same for MywebClient.exe

(MywebClient1, MywebClient2) etc.

 

Next do the same for: nconn32.exe

 

Gather up all the found reg files, zip then up and send them to me.

You'll find my email address at my website:

http://www.mvps.org/winhelp2002/index.htm

 

Note: do not post then here! I'll have a look and advise ...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0