• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Lucky Cat

homepage hijack, Win Min?

76 posts in this topic

Hello :D I need some help :(

My IE explorer homepage was changed to hpjhzt.outhost.info so I ran adaware and it got rid of all this stuff then it said it couldnt delete "C:\WINDOWS\system32\dla\tfswshx.dll" untill I reboot so I did And now when my computer starts up I get 3 errors...

#1

C:\WINDOWS\System32\services\wmplayer.exe

Windows cannot find 'C:\WINDOWS\System32\services\wmplayer.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start Button, and then click Search.

#2

Desktop

Could not load or run 'C:\WINDOWS\System32\services\wmplayer.exe' specified in the regisrty. Make sure the file exists on your computer or remove the reference to it in the registry.

#3

RUNDLL

Error loading C:\Windows\Downloaded Program Files\bridge.dll

The specified module could not be found.

 

So after the reboot my default homepage is now: dorkodrom.com/index.htm

When I go into Internet Properties my computer seems to load slow. Also I already had CWShreeder on my computer before this happened but now it seems like this "virus" hides those files so in order to run CWShreeder I had to rename it and load it off another computer in my homenetwork. Even after this it tried to close the program...but the program told me it was trying to be closed and it worked after that..although CWShreeder seemed to have no effect (this is the newest version, I even tried the update) Also this "virus" dosent allow you to run HijackThis so I had to go into safe mode to run HijackThis off another computer in my homenetwork so I tried to save the log file but it wouldnt let me save it on my computer so I had to save it on my networked computer. Also now when I try to reboot it says a program "Win Min" is not responding, end task. Also I could not find "C:\WINDOWS\system32\dla\tfswshx.dll".. Anyway I hope you can help and thanks for your time...hers my log file:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:38:55 AM, on 17/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\conime.exe

\Mobile\c\WINDOWS\Desktop\mnmn.exe

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O1 - Hosts: 213.159.118.228 collections.inhost.info

O1 - Hosts: 213.159.118.228 collections.inhost2.info

O1 - Hosts: 213.159.118.228 1-se.com

O1 - Hosts: 213.159.118.228 58q.com

O1 - Hosts: 213.159.118.228 aifind.cc

O1 - Hosts: 213.159.118.228 aifind.info

O1 - Hosts: 213.159.118.228 allneedsearch.com

O1 - Hosts: 213.159.118.228 approvedlinks.com

O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com

O1 - Hosts: 213.159.118.228 awebfind.biz

O1 - Hosts: 213.159.118.228 best.royalsearch.net

O1 - Hosts: 213.159.118.228 cracks.am

O1 - Hosts: 213.159.118.228 default-homepage-network.com

O1 - Hosts: 213.159.118.228 find.microgirls.com

O1 - Hosts: 213.159.118.228 find4u.net

O1 - Hosts: 213.159.118.228 freshvideogals.com

O1 - Hosts: 213.159.118.228 i-lookup.com

O1 - Hosts: 213.159.118.228 ie-search.com

O1 - Hosts: 213.159.118.228 in.webcounter.cc

O1 - Hosts: 213.159.118.228 itseasy.us

O1 - Hosts: 213.159.118.228 just.find-itnow.com

O1 - Hosts: 213.159.118.228 link.startmake.com

O1 - Hosts: 213.159.118.228 mysearchnow.com

O1 - Hosts: 213.159.118.228 nativehardcore.com

O1 - Hosts: 213.159.118.228 qwertysearch123.biz

O1 - Hosts: 213.159.118.228 search.ieplugin.com

O1 - Hosts: 213.159.118.228 search.psn.cn

O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com

O1 - Hosts: 213.159.118.228 searchcentrix.com

O1 - Hosts: 213.159.118.228 searchmyrequest.com

O1 - Hosts: 213.159.118.228 super-spider.com

O1 - Hosts: 213.159.118.228 t.rack.cc

O1 - Hosts: 213.159.118.228 teen-biz.com

O1 - Hosts: 213.159.118.228 teenhqpics.com

O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net

O1 - Hosts: 213.159.118.228 webcoolsearch.com

O1 - Hosts: 213.159.118.228 wmmse.com

O1 - Hosts: 213.159.118.228 www.008i.com

O1 - Hosts: 213.159.118.228 www.2fastsearch.net

O1 - Hosts: 213.159.118.228 www.8095.com

O1 - Hosts: 213.159.118.228 www.alfa-search.com

O1 - Hosts: 213.159.118.228 www.boredlife.com

O1 - Hosts: 213.159.118.228 www.couldnotfind.com

O1 - Hosts: 213.159.118.228 www.cracks.am

O1 - Hosts: 213.159.118.228 www.daum.net

O1 - Hosts: 213.159.118.228 www.dreamwiz.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find4u.net

O1 - Hosts: 213.159.118.228 www.firstbookmark.com

O1 - Hosts: 213.159.118.228 www.gajai.com

O1 - Hosts: 213.159.118.228 www.hand-book.com

O1 - Hosts: 213.159.118.228 www.hao123.com

O1 - Hosts: 213.159.118.228 www.hotsearchbox.com

O1 - Hosts: 213.159.118.228 www.hotwebsearch.com

O1 - Hosts: 213.159.118.228 www.hugesearch.net

O1 - Hosts: 213.159.118.228 www.iquicksearch.com

O1 - Hosts: 213.159.118.228 www.lookfor.cc

O1 - Hosts: 213.159.118.228 www.maxxxhosters.com

O1 - Hosts: 213.159.118.228 www.naver.com

O1 - Hosts: 213.159.118.228 www.nkvd.us

O1 - Hosts: 213.159.118.228 www.novafuck.com

O1 - Hosts: 213.159.118.228 www.ohcorea.com

O1 - Hosts: 213.159.118.228 www.omega-search.com

O1 - Hosts: 213.159.118.228 www.onet.pl

O1 - Hosts: 213.159.118.228 www.power-search.info

O1 - Hosts: 213.159.118.228 www.rightfinder.net

O1 - Hosts: 213.159.118.228 www.search-1.net

O1 - Hosts: 213.159.118.228 www.search-and-go.com

O1 - Hosts: 213.159.118.228 www.search-dot.com

O1 - Hosts: 213.159.118.228 www.search-space.com

O1 - Hosts: 213.159.118.228 www.searchforge.com

O1 - Hosts: 213.159.118.228 www.searching-the-net.com

O1 - Hosts: 213.159.118.228 www.searchv.com

O1 - Hosts: 213.159.118.228 www.searchxl.com

O1 - Hosts: 213.159.118.228 www.seznam.cz

O1 - Hosts: 213.159.118.228 www.slotch.com

O1 - Hosts: 213.159.118.228 www.spidersearch.com

O1 - Hosts: 213.159.118.228 www.startium.com

O1 - Hosts: 213.159.118.228 www.therealsearch.com

O1 - Hosts: 213.159.118.228 www.ttjj.com

O1 - Hosts: 213.159.118.228 www.viewpornkey.com

O1 - Hosts: 213.159.118.228 www.wazzupnet.com

O1 - Hosts: 213.159.118.228 www.websearch.com

O1 - Hosts: 213.159.118.228 www.windowws.cc

O1 - Hosts: 213.159.118.228 www.xgmm.com

O1 - Hosts: 213.159.118.228 xwebsearch.biz

O1 - Hosts: 213.159.118.228 yourbookmarks.ws

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKLM\..\Run: [upgrade Service] C:\WINDOWS\winupd.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [iEengine] C:\Program Files\Internet Explorer\IEengine.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ATI TV (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgins.biz/dl/ms/x.chm::/load.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8027.6773611111

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O19 - User stylesheet: C:\WINDOWS\system32\uxcbuv.2vh

Share this post


Link to post
Share on other sites

Hi there. I'm looking at your log right now to see what needs to go.

 

In the meantime, download and install Spybot S&D and Ad-aware (you can find the links here). Don't run them quite yet.

 

Also, do a full virus scan and report back with the names of all viruses found.

 

-- LB

Edited by VashonDude

Share this post


Link to post
Share on other sites

When I download the install file for Spybot S&D my computer hides it, so I had to put the install file on a computer in my home network and rename the file and then install it...but now that I finally managed to install the program I cant find it :( Anyway here's the results of a 6 hour virus scan:

 

This is what Norton AntiVirus Found:

 

 

This is what was Automatically deleted:

 

 

Source: C:\WINDOWS\hxdefdrv.sys

Description: The file C:\WINDOWS\hxdefdrv.sys is infected with the Backdoor.HackDefender virus.

Click for more information about this threat : Backdoor.HackDefender

 

Source: C:\Program Files\Internet Explorer\yqmnnqcj.exe

Description: The file C:\Program Files\Internet Explorer\yqmnnqcj.exe is infected with the Backdoor.Jeem virus.

Click for more information about this threat : Backdoor.Jeem

 

Source: Parser.class

Description: The compressed file Parser.class within C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderms.jar-5fe028-54003d56.zip is infected with the Trojan.ByteVerify virus.

Click for more information about this threat : Trojan.ByteVerify

 

Source: C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f603a77-76bd3f4a.zip

Description: The file C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6f603a77-76bd3f4a.zip is infected with the Trojan.ByteVerify virus.

Click for more information about this threat : Trojan.ByteVerify

 

Source: C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3894448e-38e7f0a0.zip

Description: The file C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-3894448e-38e7f0a0.zip is infected with the Trojan.ByteVerify virus.

Click for more information about this threat : Trojan.ByteVerify

 

Source: VerifierBug.class

Description: The compressed file VerifierBug.class within C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-71002e85-33bd4202.zip is infected with the Trojan.ByteVerify virus.

Click for more information about this threat : Trojan.ByteVerify

 

Source: Counter.class

Description: The compressed file Counter.class within C:\Documents and Settings\Admin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-71002e85-33bd4202.zip is infected with the Trojan.ByteVerify virus.

Click for more information about this threat : Trojan.ByteVerify

 

Source: C:\WINDOWS\svhost.exe

Click for more information about this threat : Backdoor.HackDefender

 

 

Delete Failed:

 

 

Source: C:\WINDOWS\Downloaded Program Files\IEengine.exe

Description: The compressed file IEengine.exe within C:\WINDOWS\Downloaded Program Files\IEengine.exe is a Adware threat.

Click for more information about this threat : Adware.MainSearch

 

Source: C:\Program Files\Internet Explorer\IEengine.exe

Description: The compressed file IEengine.exe within C:\Program Files\Internet Explorer\IEengine.exe is a Adware threat.

Click for more information about this threat : Adware.MainSearch

 

Source: C:\Program Files\Internet Explorer\IEengine.exe

Description: The file C:\Program Files\Internet Explorer\IEengine.exe is a Adware threat.

Click for more information about this threat : Adware.MainSearch

 

Source: C:\Documents and Settings\Admin\Local Settings\Temp\THI17C6.tmp\twaintec.dll

Description: The file C:\Documents and Settings\Admin\Local Settings\Temp\THI17C6.tmp\twaintec.dll is a Adware threat.

Click for more information about this threat : Adware.Binet

 

Source: twaintec.dll

Description: The compressed file twaintec.dll within C:\Documents and Settings\Admin\Local Settings\Temp\THI17C6.tmp\twaintec.cab is a Adware threat.

Click for more information about this threat : Adware.Binet

 

Source: C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe

Description: The compressed file powerscan.exe within C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe is a Adware threat.

Click for more information about this threat : Adware.Istbar

 

Source: C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe

Description: The compressed file ist_install.exe within C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe is a Adware threat.

Click for more information about this threat : Adware.Istbar

 

 

 

Manually Deleted:

 

 

Source: C:\WINDOWS\Downloaded Program Files\IEengine.exe

Description: The file C:\WINDOWS\Downloaded Program Files\IEengine.exe is a Adware threat.

Click for more information about this threat : Adware.MainSearch

 

Source: C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe

Description: The file C:\Documents and Settings\Admin\Local Settings\Temp\powerscan.exe is a Adware threat.

Click for more information about this threat : Adware.Istbar

 

Source: C:\Documents and Settings\Admin\Local Settings\Temp\optimize.exe

Description: The compressed file optimize.exe within C:\Documents and Settings\Admin\Local Settings\Temp\optimize.exe is a Adware threat.

Click for more information about this threat : Adware.NetOptimizer

 

Source: C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe

Description: The file C:\Documents and Settings\Admin\Local Settings\Temp\ist_install.exe is a Adware threat.

Click for more information about this threat : Adware.Istbar

 

omg3.jpg

Share this post


Link to post
Share on other sites

If you haven't done so already, go to Windows Update and download all necessary critical patches.

 

Go back into HijackThis (in safe mode) and remove the following:

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

 

O1 - Hosts: 213.159.118.228 collections.inhost.info

O1 - Hosts: 213.159.118.228 collections.inhost2.info

O1 - Hosts: 213.159.118.228 1-se.com

O1 - Hosts: 213.159.118.228 58q.com

O1 - Hosts: 213.159.118.228 aifind.cc

O1 - Hosts: 213.159.118.228 aifind.info

O1 - Hosts: 213.159.118.228 allneedsearch.com

O1 - Hosts: 213.159.118.228 approvedlinks.com

O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com

O1 - Hosts: 213.159.118.228 awebfind.biz

O1 - Hosts: 213.159.118.228 best.royalsearch.net

O1 - Hosts: 213.159.118.228 cracks.am

O1 - Hosts: 213.159.118.228 default-homepage-network.com

O1 - Hosts: 213.159.118.228 find.microgirls.com

O1 - Hosts: 213.159.118.228 find4u.net

O1 - Hosts: 213.159.118.228 freshvideogals.com

O1 - Hosts: 213.159.118.228 i-lookup.com

O1 - Hosts: 213.159.118.228 ie-search.com

O1 - Hosts: 213.159.118.228 in.webcounter.cc

O1 - Hosts: 213.159.118.228 itseasy.us

O1 - Hosts: 213.159.118.228 just.find-itnow.com

O1 - Hosts: 213.159.118.228 link.startmake.com

O1 - Hosts: 213.159.118.228 mysearchnow.com

O1 - Hosts: 213.159.118.228 nativehardcore.com

O1 - Hosts: 213.159.118.228 qwertysearch123.biz

O1 - Hosts: 213.159.118.228 search.ieplugin.com

O1 - Hosts: 213.159.118.228 search.psn.cn

O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com

O1 - Hosts: 213.159.118.228 searchcentrix.com

O1 - Hosts: 213.159.118.228 searchmyrequest.com

O1 - Hosts: 213.159.118.228 super-spider.com

O1 - Hosts: 213.159.118.228 t.rack.cc

O1 - Hosts: 213.159.118.228 teen-biz.com

O1 - Hosts: 213.159.118.228 teenhqpics.com

O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net

O1 - Hosts: 213.159.118.228 webcoolsearch.com

O1 - Hosts: 213.159.118.228 wmmse.com

O1 - Hosts: 213.159.118.228 www.008i.com

O1 - Hosts: 213.159.118.228 www.2fastsearch.net

O1 - Hosts: 213.159.118.228 www.8095.com

O1 - Hosts: 213.159.118.228 www.alfa-search.com

O1 - Hosts: 213.159.118.228 www.boredlife.com

O1 - Hosts: 213.159.118.228 www.couldnotfind.com

O1 - Hosts: 213.159.118.228 www.cracks.am

O1 - Hosts: 213.159.118.228 www.daum.net

O1 - Hosts: 213.159.118.228 www.dreamwiz.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find4u.net

O1 - Hosts: 213.159.118.228 www.firstbookmark.com

O1 - Hosts: 213.159.118.228 www.gajai.com

O1 - Hosts: 213.159.118.228 www.hand-book.com

O1 - Hosts: 213.159.118.228 www.hao123.com

O1 - Hosts: 213.159.118.228 www.hotsearchbox.com

O1 - Hosts: 213.159.118.228 www.hotwebsearch.com

O1 - Hosts: 213.159.118.228 www.hugesearch.net

O1 - Hosts: 213.159.118.228 www.iquicksearch.com

O1 - Hosts: 213.159.118.228 www.lookfor.cc

O1 - Hosts: 213.159.118.228 www.maxxxhosters.com

O1 - Hosts: 213.159.118.228 www.naver.com

O1 - Hosts: 213.159.118.228 www.nkvd.us

O1 - Hosts: 213.159.118.228 www.novafuck.com

O1 - Hosts: 213.159.118.228 www.ohcorea.com

O1 - Hosts: 213.159.118.228 www.omega-search.com

O1 - Hosts: 213.159.118.228 www.onet.pl

O1 - Hosts: 213.159.118.228 www.power-search.info

O1 - Hosts: 213.159.118.228 www.rightfinder.net

O1 - Hosts: 213.159.118.228 www.search-1.net

O1 - Hosts: 213.159.118.228 www.search-and-go.com

O1 - Hosts: 213.159.118.228 www.search-dot.com

O1 - Hosts: 213.159.118.228 www.search-space.com

O1 - Hosts: 213.159.118.228 www.searchforge.com

O1 - Hosts: 213.159.118.228 www.searching-the-net.com

O1 - Hosts: 213.159.118.228 www.searchv.com

O1 - Hosts: 213.159.118.228 www.searchxl.com

O1 - Hosts: 213.159.118.228 www.seznam.cz

O1 - Hosts: 213.159.118.228 www.slotch.com

O1 - Hosts: 213.159.118.228 www.spidersearch.com

O1 - Hosts: 213.159.118.228 www.startium.com

O1 - Hosts: 213.159.118.228 www.therealsearch.com

O1 - Hosts: 213.159.118.228 www.ttjj.com

O1 - Hosts: 213.159.118.228 www.viewpornkey.com

O1 - Hosts: 213.159.118.228 www.wazzupnet.com

O1 - Hosts: 213.159.118.228 www.websearch.com

O1 - Hosts: 213.159.118.228 www.windowws.cc

O1 - Hosts: 213.159.118.228 www.xgmm.com

O1 - Hosts: 213.159.118.228 xwebsearch.biz

O1 - Hosts: 213.159.118.228 yourbookmarks.ws

 

O4 - HKLM\..\Run: [upgrade Service] C:\WINDOWS\winupd.exe

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1

O4 - HKCU\..\Run: [Windows Deafult Configuration] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [iEengine] C:\Program Files\Internet Explorer\IEengine.exe

 

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://petite-virgins.biz/dl/ms/x.chm::/load.exe

O19 - User stylesheet: C:\WINDOWS\system32\uxcbuv.2vh

 

Then delete the following files (some may have already been deleted):

 

C:\WINDOWS\winupd.exe

C:\WINDOWS\Downloaded Program Files\bridge.dll

C:\WINDOWS\svhost.exe

C:\Program Files\Internet Explorer\IEengine.exe

C:\WINDOWS\svchost.exe - make sure you don't delete the one in C:\WINDOWS\system32\ (that one is legit)

 

You may have to change settings to show hidden files. Click here to see how to do so.

 

Reboot and post a new log.

 

-- LB

Edited by VashonDude

Share this post


Link to post
Share on other sites

Okay rebobooted and some things seem fixed and some are still broken. I still get the windows media player error when I start up but the bridge.dll error is gone. Also it seems like my default homepage is fixed. I still cant see my CWShredder files. Also theres a 17052004.exe file in my Windows folder wit ha orange X icon that was created when this all happened :( At least things seem to be getting better :) Thanks so far and heres the new log:

 

Logfile of HijackThis v1.97.7

Scan saved at 4:08:14 PM, on 17/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINDOWS\System32\ctfmon.exe

\Mobile\DESKTOP\mnmn.exe

C:\Program Files\Messenger\msmsgs.exe

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ATI TV (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8027.6773611111

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\System32\mshtml.dll

Share this post


Link to post
Share on other sites

Looks much better.

 

Next step is to run both Spybot S&D and Ad-Aware (run Ad-Aware first, then Spybot). Make sure to update both before running.

 

After that, reboot and post a new log.

 

-- LB

Edited by VashonDude

Share this post


Link to post
Share on other sites

Was lucky enough to be able to run Spybot S&D because it gives you the option to run it after installiation, it got rid of a few things and now I cant see it anymore. Ran ad aware and it got rid of 1 thing. Still get the windows media player error and still cant see CWShreeder :( Heres my new log :)

 

Logfile of HijackThis v1.97.7

Scan saved at 5:16:22 PM, on 17/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\ctfmon.exe

\Mobile\desktop\mnmn.exe

C:\Program Files\Messenger\msmsgs.exe

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ATI TV (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8027.6773611111

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Go back into safe mode and run CWShredder.

 

Also, while in safe mode, file the following file and delete it:

 

17052004.exe

 

Also, go to search files (from the start menu) and find all occurances of wmplayer.exe and note the directories where it/they reside.

 

-- LB

Share this post


Link to post
Share on other sites

Ran CWShredder, still dosent show up. Same with Spybot S&D. Deleted 17052004.exe :) Heres where wmplayer.exe shows up:

 

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Windows Media Player\wmplayer.exe.tmp

C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEF9C.pf

C:\WINDOWS\RegisteredPackages\{B3C1B200-8F14-4C49-96D3-67425AD59914}\wmplayer.exe

Share this post


Link to post
Share on other sites
C:\WINDOWS\System32\services\wmplayer.exe

Windows cannot find 'C:\WINDOWS\System32\services\wmplayer.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start Button, and then click Search.

 

Turns out the Windows Media Player here was a fake one put in by CoolWebSearch. Fortunately it's gone. Does that message still show up?

 

The reason whjy you can't seem to get CWS to work is because you have something called Hacker Defender. It's something that isn't easily fixed (I think a fix is still being worked on. I'll get back to you tomorrow (5/18) once I find what needs to be done next.

 

-- LB

Share this post


Link to post
Share on other sites

Yes I still get the Windows Media Player error :( Hacker defender? Not easily fixed? :( damn ahh well thanks for your help so far :) I await your response!

Share this post


Link to post
Share on other sites

Do you have the XP install CD (you may have to boot from the CD in order to fix the problem)?

 

-- LB

Edited by VashonDude

Share this post


Link to post
Share on other sites
Do you have the XP install CD (you may have to boot from the CD in order to fix the problem)?

 

-- LB

Ahhh oh my sounds hardcore :o , Yea I do have the CD :)

Share this post


Link to post
Share on other sites

Here we go.... do the following:

 

Go to Start>run and type: services.msc

 

When the services window opens, go to View and select List from the dropdown menu.

 

Now go to Action>Export List and save it as a text file then print it. This is the services list.

 

Place your windows installation disk into the cd rom and reboot

 

When prompted press a key to boot from the cd

 

When the screen with choices comes up, press the r key

 

Choose the c drive by pressing 1 and hitting the enter key.

 

If your administrator account has a password, type it in, otherwise just press enter (this is not the same as the account that you normallly log on with, if you don't know if there is a password then there probably isn't one).

 

At the recovery console prompt type the following command: listsvc

 

then press enter. All the services that are set to run on your computer are displayed. Look through that list for services that are not on the list you printed and note their EXACT names.

 

For each service the listsvc command displayed that was not on the list you printed, type the following command.

 

disable servicename

 

where servicename is the one you found

press enter

 

Make sure you do this for each one you found.

 

reboot into safe mode (repeatedly tap <F8> as the computer boots until you see a menu, select safe mode from the menu)

 

After this, try running CWShredder again.

 

Reboot and post a new log.

 

-- LB

Share this post


Link to post
Share on other sites

Before I continue I wanna make sure on a few things :)

 

Okay I printed services.msc and when I goto the recovery prompt and type listsvc I get a huge list but the thing is there are ALOT of services listed in the listsvc that are not on the list I printed. Like for example these were not on the list I printed:

 

ACPI - Boot

Microsoft ACPI Driver

 

aec - Manual

Microsoft Kerner Acoustic Echo Canceller

 

AFD - Auto

AFD Networking Support Environment

 

AsyncMac - Manual

RAS Asynchronous Media Driver

 

atapi - Boot

Standard IDE/ESDI Hard Disk Controller

 

ati2mtaa - Manual

 

ATIBTCAP - Auto

ATI TV Wonder Video Capture

 

ATIBTXBAR - Auto

ATI TV Wonder Video Crossbar

 

etc...

Sorry if this is a sill question and is wasting your time but is it really necessary to disable all this because they did not show up on the list? They seem like they belong there since I have all that ATI stuff installed. Also on the listsvc list theres alot of stuff that was not on the list I printed that is already disabled, do I have to disable all of this even though its already marked as disabled. Also "Automatic Updates" was on the list I printed and not on the listsvc list...again sorry If these are stupid questions I just want to make sure Iam not fucking up my computer :(

Share this post


Link to post
Share on other sites

The experts are still working on a fix for this wretched thing.

 

In the meantime, download the following programs. They prevent much of the crapware from getting into your computer in the first place. They're all free.

 

Spyware Blaster

IE-Spyad

MVPS Hosts

 

-- LB

Share this post


Link to post
Share on other sites

Still no fix...crap :( so many days w/o my comp <_< Anyway Ill install those and thanks for not forgetting about me VashonDude :) I await your response :D

Share this post


Link to post
Share on other sites

Still no definite fix yet.

 

Someone else may take over for me on the fix I had you try earlier (the one where you weren't sure if it was necessary to shut down some files, but I couldn't give you an answer).

 

-- LB

Share this post


Link to post
Share on other sites

bump? :( Has a solution been found yet? -_-

While Ive been wating Ive been trying other spyware programs. I ran Webroot Spy Sweeper and it seems to have gotten rid of alot of spyware that Ad Aware has missed. It fixed the windoes media player error I told you about so I dont get that error every time I start up my computer anymore. So now when I scan with Ad Aware and Spy Sweeper they both dont find anything. The only problems that I have left are that I still seem to have Backdoor.HackDefender. I did a virus scan after I ran Spy Sweeper and it found no virus but after I reboot it seems like Backdoor.HackDefender it still there. It was found in C:\windows\hxdefdrv.sys and Norton AntiVirus detected and removed it...but Iam sure it will be there again when I reboot...Also CWShredder and Spybot Search and Destroy are STILL hidden :( So yea those are the only 2 problems left. -_-

 

Anyone have a solution yet? >.<

 

Ive been reading up and I see solutions listed on these pages:

 

http://www.spywareinfoforum.com/index.php?showtopic=647

http://www.spywareinfoforum.com/index.php?showtopic=505

http://www.aumha.org/a/parasite.php

 

Also this solution seems promising:

http://securityresponse.symantec.com/avcen...ckdefender.html

 

Do these situations apply to me? Will they work if I do em? Are they safe to try? Anyone want to guide me through these solutions? Please help me ^__^

Edited by Lucky Cat

Share this post


Link to post
Share on other sites

maybe...but it says the HackDefender Disabler tool temporarily disables the HackDefender only untill the next reboot...so no real help there -_- whats listed in those threads and the symantec webpage seems like the best bet...

Share this post


Link to post
Share on other sites

Is it just the one computer on the network that got hit? I may end up having you reformat. From what I can tell, a fix is still being worked on.

 

As to why it's taking so long to create a fix, I don't know. This thing seems to be extremely sneaky.

 

-- LB

Share this post


Link to post
Share on other sites
Is it just the one computer on the network that got hit? I may end up having you reformat. From what I can tell, a fix is still being worked on.

 

As to why it's taking so long to create a fix, I don't know. This thing seems to be extremely sneaky.

 

-- LB

yea just one, ahh man reformat?! crap I was hoping that would be a last resort measure -_- are you sure those solutions I listed dont relate to my situation at all? :(

Share this post


Link to post
Share on other sites

Very strange Lucky Cat. I am completely cured since May 18th and I had similar problems as you. My computer has worked perfectly since.

 

I had Hacker Defender, Svhost, Outpost.info, casino palazzio infestation & multiple 01 hosts. Spybot, Cwshredder and Hijackthis vanished from my desktop and harddrive plus I couldn't access most antispyware sites. I couldn't even access many forums on this site and had to use an unaffected computer to communicate with the experts here. These 2 topics may help and I know you have noted them.

 

http://www.spywareinfoforum.com/index.php?showtopic=647

 

http://www.spywareinfoforum.com/index.php?showtopic=505 s

 

I followed Winhelp's instructions exactly. 3 items I couldn't find with search were found later in the registry. Getting rid of hackerdefender through my registry deletions were tricky and seems to be the key as it is all over the place in different names.

 

I had to do multiple searches using Regedit as each time I would find references to HackerDefender. I first searched under HackerDefenderDrv100 and deleted all, then searched for HackerDefender and finally I even typed in hacker and found 2 more references. After this I deleted all the hidden files as mentioned by Winhelp.

 

I fixed the two Svhost entries and all 01 entries prior to doing this on Hijackthis. All was done in safe mode.

 

I think the key is doing multiple searches of the registry using Regedit and following Winhelp's instructions. I started a new registry search each time I did a search and did everything over 3 times to ensure I never missed anything.

 

Run Hijackthis again and if shown delete Svhost and all the 01 reference ( i had over 90 of them).

 

My situation may be different then yours. Get an expert to guide you before taking this on as I don't want any shit for posting this. Good luck.

 

These guys fixed my computer to perfection. You will hopefully not have to format.

Edited by duke9106

Share this post


Link to post
Share on other sites
Very strange Lucky Cat. I am completely cured since May 18th and I had similar problems as you. My computer has worked perfectly since.

 

I had Hacker Defender, Svhost, Outpost.info infestation & multiple 01 hosts. Spybot, Cwshredder and Hijackthis vanished from my desktop and harddrive plus I couldn't access most antispyware sites. I couldn't even access many forums on this site and had to use an unaffected computer to communicate with the experts here. These 2 topics may help and I know you have noted them.

 

http://www.spywareinfoforum.com/index.php?showtopic=647

 

http://www.spywareinfoforum.com/index.php?showtopic=505 s

 

I followed Winhelp's instructions exactly. 3 items I couldn't find with search were found later in the registry. Getting rid of hackerdefender through my registry deletions were tricky and seems to be the key as it is all over the place in different names.

 

I had to do multiple searches using Regedit as each time I would find references to HackerDefender. I first searched under HackerDefenderDrv100 and deleted all, then searched for HackerDefender and finally I even typed in hacker and found 2 more references. After this I deleted all the hidden files as mentioned by Winhelp.

 

I fixed the two Svhost entries and all 01 entries prior to doing this on Hijackthis. All was done in safe mode.

 

I think the key is doing multiple searches of the registry using Regedit and following Winhelp's instructions. I started a new registry search each time I did a search and did everything over 3 times to ensure I never missed anything.

 

Run Hijackthis again and if shown delete Svhost and all the 01 reference ( i had over 90 of them).

 

My situation may be different then yours. Get an expert to guide you before taking this on as I don't want any shit for posting this. Good luck.

 

These guys fixed my computer to perfection. You will hopefully not have to format.

Thanks alot for this help duke9106. I really appericate it ;) This seems very promising and I was considering going to try those solutions anyway since the only other option was formatting (eww) Now all I need is a expert to guid me through this and hopefully Ill be fine ^__^

Share this post


Link to post
Share on other sites

Okay thanks to duke9106 my computer seems to be HackerDefender free ^___^ Thanks ALOT duke9106 those solutions and what you said worked like a charm, Spyware S&D and CWShredder are NO LONGER hidden ^__^.

 

Now theres only a few problems left which I hope are easy to get rid of...First of all when I was searching for the files in the HackerDefender fix I found a few things that were created at the EXACT same time as the ones I deleted to get rid of HackerDefender aka files that were created when I got infected..These were some that caught my eye...

 

jkiwqxok.exe which was found in the C:/Program Files/Internet Explorer folder...I deleted it since it seemed out of place and was created at the exact time I got infected...seemed like a logical thing to do...I dont know what this file did.

 

Also I found mstaskss.exe which was found in the C:/Windows folder....I saw mention of this file in this thread:

http://www.spywareinfoforum.com/index.php?sh...191&hl=mstaskss

So I deleted it also...

 

Also I found 2 other files that seemed out of place but Iam not sure what they do so I left them alone for now...they cre created a few minuetes after I got infected...the files are:

 

mstasks1.exe AND mstasks2.exe ... these files were found in the C:/Windows/System32 folder....I dont know if they are supposed to be there or not so I left them alone.....

 

Also their may be other files they were created the day that I got infected that I might have missed....is there any way to check?

 

Also a new problem is every time I run Spybot S&D it keeps on finding a DSO Exploit...I get rid of it but it keeps on coming back even after I reboot or even if I dont reboot after I get rid of it it comes back...heres what Spybot S&D found...

 

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-21-1229272821-920026266-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

 

--- Spybot - Search && Destroy version: 1.3 ---

2004-05-12 Includes\Cookies.sbi

2004-05-12 Includes\Dialer.sbi

2004-05-12 Includes\Hijackers.sbi

2004-05-12 Includes\Keyloggers.sbi

2004-05-12 Includes\LSP.sbi

2004-05-12 Includes\Malware.sbi

2004-05-12 Includes\Revision.sbi

2004-05-12 Includes\Security.sbi

2004-05-12 Includes\Spybots.sbi

2004-05-12 Includes\Tracks.uti

2004-05-12 Includes\Trojans.sbi

 

 

Is there any way to fix that?????? Also heres my latest hijack this log...

 

 

Logfile of HijackThis v1.97.7

Scan saved at 3:16:54 AM, on 29/05/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\WINDOWS\System32\atiptaxx.exe

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\HijackThis\HijackThis.exe

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ATI TV (HKLM)

O9 - Extra button: AOL Instant Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8027.6773611111

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

Think you can help me with this problem VashonDude ^___^

Share this post


Link to post
Share on other sites

mstasks1.exe and mstasks2.exe came from viruses. Run a full virus scan.

 

I'm checking to see what needs to be done about the recurring DSO exploit and what still needs to be deleted.

 

I'm glad to hear that Hacker Defender appears to be dead.

 

-- LB

Share this post


Link to post
Share on other sites
mstasks1.exe and mstasks2.exe came from viruses. Run a full virus scan.

 

I'm checking to see what needs to be done about the recurring DSO exploit and what still needs to be deleted.

 

I'm glad to hear that Hacker Defender appears to be dead.

 

-- LB

I ran a full virus scan and got 0 results for infections. Since mstasks1.exe and mstasks2.exe came from viruses can I delete them? Regarding the DSO exploit dont worry about it, it cant be helped and it dosent matter as long as your fully patched, info on it here:

http://www.spywareinfoforum.com/index.php?showtopic=1728&hl=

Since the Virus scan comes clean along with Adaware, Spybot S&D, CWShredder theres I seem to be generally clean...theres only a few things left to do like should I delete mstasks1.exe and mstasks2.exe?

 

After doing a search of all files that were modified on the day I was infected, Ive taken note of files that were put on my computer the moment I was infected or soon after...here they are:

 

C:\install.cab

C:\install.htm

 

C:\Windows\didduid.ini

C:\Windows\dl.html

 

C:\Windows\hosts

 

C:\Windows\sasing.ini

 

C:\Windows\test

 

C:\Windows\winamp.ini

C:\Windows\wininit.ini

 

C:\Program Files\Winamp\winamp.ini

C:\Program Files\Winamp\winamp.m3u

C:\Program Files\Winamp\wmplayer.exe.tmp

 

C:\Windows\CSC (A hidden folder that was modifyed a hour later...probably not related but just covering my bases ^_^)

 

C:\Windows\inf\drvindex.pnf (Modified the exact time I was infected and there are other files in that folder that were modified about an hour later...looks like a normal folder Iam just covering bases again ^_^)

 

C:\Windows\system32\ggdfg.txt

 

C:Windows\system32\drivers\etc\hosts (was created 10 hours after I was infected so its probably okay but I just want to make sure)

 

And those are all the files I found that day that SEEM suspicious...some of them I REALLY want to delete because I know they were a result of a virus...but I THINK that some of these files are leftovers from anti spyware programs...like for example remember that winmedia player error I was telling you about in the beginning? Even though spysweeper got rid of that error those files are still left over....maybe they are hermless alone....who knows?? But yea please tell me which of those files are normal and which are not and which ones I can delete?! Thanks alot and anyone else fell free to comment like duke9106 did! Again thanks ^___^

Share this post


Link to post
Share on other sites

Go ahead and delete mstasks1.exe and mstasks2.exe.

 

As for the other files, I trying to find out if they're legit or not.

 

-- LB

Share this post


Link to post
Share on other sites
Go ahead and delete mstasks1.exe and mstasks2.exe.

 

As for the other files, I trying to find out if they're legit or not.

 

-- LB

Okay will do, thanks :alarm:

Share this post


Link to post
Share on other sites
:hmmm: Okay what can I delete next?

I'm fairly certain you can delete this one:

 

C:\Program Files\Winamp\wmplayer.exe.tmp - probably is related to a virus.

 

C:\Windows\CSC is legit.

 

The F0 items in the HijackThis log can go.

 

As for the other files, I'm not certain. Google searches either come up blank or inconclusive (i.e. I can't tell if the file in question is legit or not).

 

-- LB

Share this post


Link to post
Share on other sites

k thanks VashonDude will delete!! hmm maybe a way of telling whats legit or not is to see if these files are found on a clean computer running XP Pro?! Or asking the experts? and thanks morcheeba, Ill try that out.

Share this post


Link to post
Share on other sites

2 weeks + :weep: but the end seems near :unsure:

 

Unsure files left:

 

C:\install.cab

C:\install.htm

 

C:\Windows\didduid.ini

C:\Windows\dl.html

 

C:\Windows\hosts

 

C:\Windows\sasing.ini

 

C:\Windows\test

 

C:\Windows\winamp.ini

C:\Windows\wininit.ini

 

C:\Program Files\Winamp\winamp.ini

C:\Program Files\Winamp\winamp.m3u

 

C:\Windows\inf\drvindex.pnf

 

C:\Windows\system32\ggdfg.txt

 

C:Windows\system32\drivers\etc\hosts

Edited by Lucky Cat

Share this post


Link to post
Share on other sites

Ive deleted mstasks1.exe, mstasks2.exe, wmplayer.exe.tmp no problem. But now I have a new problem...I cant delete:

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

Everytime I click fix checked and I run Hijackthis again it re appears, are these items dangerous?

 

Also have you found out if those other files are legit or not??

 

Crap everytime I think Iam getting ahead Iam not, starting to go crazy again :(

 

 

Seems like others are having the "F0 - syst>m.ini: Shell=" problem:

 

http://www.spywareinfoforum.com/index.php?sh...st=0entry2264

http://www.webuser.co.uk/cgi-bin/forums/sh...sb=5&o=93∂=

Edited by Lucky Cat

Share this post


Link to post
Share on other sites
Ive deleted mstasks1.exe, mstasks2.exe, wmplayer.exe.tmp no problem. But now I have a new problem...I cant delete:

 

F0 - syst>m.ini: Shell=

F0 - R >ystem.ini: Shel>=

F0 - R >ystem.ini: UserInit=

Everytime I click fix checked and I run Hijackthis again it re appears, are these items dangerous?

From what I've read, F0 items are always bad, but I was looking at a post that seems to say that they be legit.

 

These 3 files:

 

C:\Program Files\Winamp\winamp.ini

C:\Program Files\Winamp\winamp.m3u

C:\Windows\winamp.ini

 

go with Winamp (a media file player). Do you have this program on your computer? If so, was it installed around the time this problem began?

 

Could you make copies of the following file and place them in a ZIP file:

 

C:\install.cab

C:\install.htm

C:\Windows\didduid.ini

C:\Windows\dl.html

C:\Windows\hosts

C:\Windows\sasing.ini

C:\Windows\test

C:\Windows\inf\drvindex.pnf

C:\Windows\system32\ggdfg.txt

C:Windows\system32\drivers\etc\hosts

 

and send them to the following address: walk_wait AT msn.com (replace the AT with @). I'd like to have a look at these files.

 

-- LB

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0