• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
saul

Rid myself of HackerDefender100, outhost

10 posts in this topic

Managed to get rid of HackerDefender100/outhost by following directions from another post. However now the pages that were redirected to outhost now say can't be displayed. Ran adware and it keeps catching this MS security issue in NT Winlogin. Searched in registry and found there's a couple suspicious entries one is vxdmgr32.exe. Wasn't sure so I didn't delete anything. Ran CWS said I was clean. Ran free virus search at TrendMicro and it found various bkdr and troj viruses, 21 to be exact, and I deleted all of those. Restarted and ran HJT here is the log file.

 

Logfile of HijackThis v1.97.7

Scan saved at 12:52:27 PM, on 5/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\vxdmgr32.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\vcchost.exe

C:\WINDOWS\vhchost.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\hphmon04.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\WINDOWS\System32\svchosd.exe

C:\Program Files\Washer\washer.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\HPHipm11.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe

F1 - win.ini: run=C:\WINDOWS\dllreg.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program Files\SurfAssistant.com\saiemod.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [Deafult configuration] C:\WINDOWS\vcchost.exe

O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\load32.exe

O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\idctup20.exe

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [Configuration Service] C:\WINDOWS\System32\suchost.exe

O4 - HKLM\..\Run: [ZEXPANDL] C:\WINDOWS\System32\ZEXPANDL.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Aplune Service] svchosd.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe

O4 - Startup: rundllw.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Image Transfer.lnk = ?

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

O19 - User stylesheet: C:\WINDOWS\system32\mklsyt.3wd

Share this post


Link to post
Share on other sites

Saul

 

There are still lots of viruses and trojans in your log.

 

Go to Task Manager and finish these processes if you see them:

- C:\WINDOWS\System32\vxdmgr32.exe

- C:\WINDOWS\vcchost.exe

- C:\WINDOWS\vhchost.exe

- C:\WINDOWS\svchost.exe <-- the one that runs from C:\Windows, not the one from the System32 folder

(if you are not sure from where it runs, leave it and report to me)

- C:\WINDOWS\system32\cisvc.exe

 

Then download The Cleaner, let it do a scan and fix all it finds.

 

Let Hijack This fix the following lines (if they are still there after the scan):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;

F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe

F1 - win.ini: run=C:\WINDOWS\dllreg.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\vxdmgr32.exe

O2 - BHO: (no name) - {5DAFD089-24B1-4c5e-BD42-8CA72550717B} - C:\Program Files\SurfAssistant.com\saiemod.dll

O4 - HKLM\..\Run: [Deafult configuration] C:\WINDOWS\vcchost.exe

O4 - HKLM\..\Run: [Default Operation] C:\WINDOWS\vhchost.exe

O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\load32.exe

O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\idctup20.exe

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

O4 - HKLM\..\Run: [Configuration Service] C:\WINDOWS\System32\suchost.exe

O4 - HKLM\..\Run: [Aplune Service] svchosd.exe

O4 - Startup: rundllw.exe

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Image Transfer.lnk = ?

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O9 - Extra button: PartyPoker.com (HKLM)

O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

O19 - User stylesheet: C:\WINDOWS\system32\mklsyt.3wd

 

Do this by closing all browser windows, placing a checkmark before the above items and clicking the Fix-button.

 

Set Explorer to display hidden files and delete these files:

- C:\WINDOWS\dllreg.exe

- C:\WINDOWS\vcchost.exe

- C:\WINDOWS\vhchost.exe

- C:\WINDOWS\svchost.exe

- C:\WINDOWS\System32\load32.exe

- C:\WINDOWS\System32\idctup20.exe

- svchosd.exe <-- do a search for this one

- rundllw.exe <-- do a search for this one

- C:\WINDOWS\system32\mklsyt.3wd

If some files cannot be deleted because they are in use delete them in Safe Mode (reboot, hit F8 and choose 'Start in Safe Mode').

Some may already have been deleted by The Cleaner.

 

Reboot and post a fresh log here again.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst,

 

I'm not sure what you mean by Task Manager I've never used that utility before. Is that msconfig? If not how do you get to it and by finish I assume you mean delete? Thanks.

Share this post


Link to post
Share on other sites

Saul

 

When you press Ctrl-Alt-Del (hold down Ctrl and Alt keys and press Del key once) you will see a panel with o.a. a button 'Task Manager'. Click that and you are in Task Manager. Click the middle tabsheet, 'Processes'. You see a list of programs that are actively running on your system at the moment.

 

saul2504.jpg

 

Look at the list in my previous post and try to find the programs in the Task Manager list. When you find one, select it (left mouse button click on the name) and then click the button below 'End process'. Do so for the whole list I gave, with exception of 'svchost.exe' (with the blue text). Now these programs are still on disk, but not running anymore. This makes removal easier.

Close Task Manager by clicking on the X button in the upper right corner.

 

Start Hijack This, press the Scan button and when the list is ready, place a checkmark in front of all the items I mentioned in my previous post.

Then close all browser windows and click in Hijack This the 'Fix Checked' button.

 

Now the bad files must be deleted on the disk.

Go to Windows Explorer and in the left pane browse to the folder C:\Windows. In the right hand pane you will see a list of files. Find 'dllreg.exe'. When you see it, select it with the left mouse button (it should become blue) and press the Delete key. When asked if you really want to delete the file, check the filename (ddlreg.exe) and if it is the same, confirm the deletion. Do so for the whole list I gave under 'Set Explorer to ...'. If you cannot find a file, leave it.

 

After that, go to Hijack This again and let it make a fresh scan. Post the log here.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Figured it out after I posted the reply. Followed all directions however I was unsure which svchost.exe to delete, task manager listed about 5 processes running as svchost.exe, so I left them running and did not delete. Here is my HJT log after completing directions. Thanks!

 

Logfile of HijackThis v1.97.7

Scan saved at 11:52:32 AM, on 5/27/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\WINDOWS\System32\hphmon04.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\The Cleaner\tca.exe

C:\Program Files\The Cleaner\tcm.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

C:\Program Files\Washer\washer.exe

C:\WINDOWS\System32\RUNDLL32.EXE

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\America Online 8.0\aoltray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\cisvc.exe

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

c:\PROGRA~1\mcafee.com\vso\mcshield.exe

C:\WINDOWS\System32\HPHipm11.exe

C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"

O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\conmgr.exe"

O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [ZEXPANDL] C:\WINDOWS\System32\ZEXPANDL.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0

O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKLM)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)

O9 - Extra button: Microsoft® JavaScript® Console (HKCU)

O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

Share this post


Link to post
Share on other sites

Saul

 

OK, your log is clean.

To be sure Hacker Defender is gone, did you find the ini file that belongs to it?

Did the Cleaner find anything?

Does Ad Aware still make an alarm at NT Winlogin?

 

You best clean out all temporary folders:

- C:\Windows\Temp

- C:\Windows\Downloaded Program Files

- C:\Documents and Settings\<name>\Local Settings\Temp

 

A general protection against hijackers are a trojan monitor (like TCActive) and the programs Spywareguard and Spywareblaster (both free).

TCActive will stop activation of Hacker Defender, provided it is running before the HD service is started.

 

BTW The Cleaner is shareware, the trial period ends after 30 days.

_______

Wiskonst

Edited by Wiskonst

Share this post


Link to post
Share on other sites

Thanks alot for the help. Yeah I think I completely rid myself of HackerDefender. I found and deleted all the .ini files related to HD. The cleaner did find some spyware, and worms. All have been cleaned/deleted. Yes Adaware is still catching something in NT Winlogin. Been doing it ever since I contracted this trojan.

 

Do I need to do anything about svchost.exe? Like I said there were 5 running processes with that file name. Didn't know which one to delete.

 

Also concerned about this process. You instructed me to stop it in Task Manager but not to delete in HJT. Just leave it?

C:\WINDOWS\system32\cisvc.exe

 

 

Thanks again!

Share this post


Link to post
Share on other sites

Saul

 

I asked for stopping cisvc.exe for certainty but it is probably allright.

Submit C:\WINDOWS\system32\cisvc.exe

to a scan by Kaspersky online virusscan. On the Kaspersky page click Browse and go to cisvc.exe, then click submit. It may be a legitimate Windows file but also a keylogger.

 

The bad version of svchost.exe has been taken care of by the fix in HJT and the reboot thereafter. All instances of scvhost running now are allright.

 

Is Ad Aware referencing a file or a registry key, if you can see that?

If possible give an Ad Aware log, but after everything else has been fixed in Ad Aware.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst,

 

I really appreciate your instruction you've helped tremendously. I ran adaware again and it didn't catch on NT Winlogin so I guess we're OK. I must have been hallucinating when I said it was there after your fix, but it was catching it before. You must have got it.

 

I submitted the cisvc.exe to the online virus scan and it was clean so hopefully I'm disease free. Thanks!

 

Saul

Share this post


Link to post
Share on other sites

Saul

 

OK, thank you! :)

_______

Wiskonst

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0