• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
lisadamc

Help! My hijackthis log

6 posts in this topic

Logfile of HijackThis v1.97.7

Scan saved at 3:51:35 AM, on 5/31/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Common files\WinTools\WToolsS.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\PhoneTools\CapFax.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\Common files\WinTools\WSup.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\taskmgr.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Lisa Crigger\Local Settings\Temporary Internet Files\Content.IE5\7LU381I7\HijackThis[1].exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.htm...p://about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pregnancy.org/pregnancycalendar/month_page.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O1 - Hosts: <html><head>

O1 - Hosts: <title>404 not found</title>

O1 - Hosts: </head><body>

O1 - Hosts: <h1>not found</h1>

O1 - Hosts: the requested url /data/bhwin.txt was not found on this server.<p>

O1 - Hosts: <p>additionally, a 404 not found

O1 - Hosts: error was encountered while trying to use an errordocument to handle the request.

O1 - Hosts: <hr>

O1 - Hosts: <address>apache/1.3.27 server at www.clickonteens.com port 80</address>

O1 - Hosts: </body></html>

O1 - Hosts: www.<!doctype html public "-//ietf//dtd html 2.0//en">

O1 - Hosts: <html><head>

O1 - Hosts: <title>404 not found</title>

O1 - Hosts: </head><body>

O1 - Hosts: <h1>not found</h1>

O1 - Hosts: the requested url /data/bhwin.txt was not found on this server.<p>

O1 - Hosts: <p>additionally, a 404 not found

O1 - Hosts: error was encountered while trying to use an errordocument to handle the request.

O1 - Hosts: <hr>

O1 - Hosts: <address>apache/1.3.27 server at www.clickonteens.com port 80</address>

O1 - Hosts: </body></html>

O1 - Hosts: ftp.<!doctype html public "-//ietf//dtd html 2.0//en">

O1 - Hosts: <html><head>

O1 - Hosts: <title>404 not found</title>

O1 - Hosts: </head><body>

O1 - Hosts: <h1>not found</h1>

O1 - Hosts: the requested url /data/bhwin.txt was not found on this server.<p>

O1 - Hosts: <p>additionally, a 404 not found

O1 - Hosts: error was encountered while trying to use an errordocument to handle the request.

O1 - Hosts: <hr>

O1 - Hosts: <address>apache/1.3.27 server at www.clickonteens.com port 80</address>

O1 - Hosts: </body></html>

O1 - Hosts: update.<!doctype html public "-//ietf//dtd html 2.0//en">

O1 - Hosts: <html><head>

O1 - Hosts: <title>404 not found</title>

O1 - Hosts: </head><body>

O1 - Hosts: <h1>not found</h1>

O1 - Hosts: the requested url /data/bhwin.txt was not found on this server.<p>

O1 - Hosts: <p>additionally, a 404 not found

O1 - Hosts: error was encountered while trying to use an errordocument to handle the request.

O1 - Hosts: <hr>

O1 - Hosts: <address>apache/1.3.27 server at www.clickonteens.com port 80</address>

O1 - Hosts: </body></html>

O1 - Hosts: support.<!doctype html public "-//ietf//dtd html 2.0//en">

O1 - Hosts: <html><head>

O1 - Hosts: <title>404 not found</title>

O1 - Hosts: </head><body>

O1 - Hosts: <h1>not found</h1>

O1 - Hosts: the requested url /data/bhwin.txt was not found on this server.<p>

O1 - Hosts: <p>additionally, a 404 not found

O1 - Hosts: error was encountered while trying to use an errordocument to handle the request.

O1 - Hosts: <hr>

O1 - Hosts: <address>apache/1.3.27 server at www.clickonteens.com port 80</address>

O1 - Hosts: </body></html>

O1 - Hosts: <hr>

O1 - Hosts: <address>apache/1.3.27 server at www.clickonteens.com port 80</address>

O1 - Hosts: </body></html>

O1 - Hosts: 207.36.196.189 ieautosearch

O1 - Hosts: 207.36.196.189 auto.search.msn.com

O1 - Hosts: 207.36.196.189 search.netscape.com

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE

O4 - HKLM\..\Run: [EasyMessage] C:\Program Files\APNI.NET MESSENGER\em2.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [bat hold] C:\PROGRA~1\AXISDO~1\extrabagssoft.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083886724812

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501...r2501031120.EXE

O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/internetwasherpro.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp...23/cpbrkpie.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7660.8832291667

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lls/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

Share this post


Link to post
Share on other sites

Go to Add/remove programs;find:

"Window Search" And "WinTools" and remove (uninstall) them.

You will be given a security code to insert, do so

 

Open task manager (alt+ctrl+del) click the processes tab. Highlight

extrabagssoft.exe

Then click the end process button

Close task manager.

 

Move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:

c:\program files\hijackthis\hijackthis.exe

 

This will allow backups to be made and saved By hijackthis in case something goes wrong.

 

Place a check next to the following entries, then close all open windows except hijackthis and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchexe.com/passthrough/index.htm...p://about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

 

All the O1 - Hosts: entries

 

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [bat hold] C:\PROGRA~1\AXISDO~1\extrabagssoft.exe

O4 - HKCU\..\Run: [internet Washer Pro] C:\Program Files\Internet Washer Pro\iw.exe min

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.8.cab

O16 - DPF: {41F31718-2B9D-4F76-85E2-DD11BBA99F8D} - http://install.spywarelabs.com/DistID/2501...r2501031120.EXE

O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50038/QDow_AS2.cab

Then reboot into safe mode and delete these files.

C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE

C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe

 

And these folder.

C:\PROGRA~1\COMMON~1\WinTools

C:\Program Files\Common Files\slmss

C:\Program Files\TV Media

C:\PROGRA~1\AXISDO~1

C:\Program Files\Internet Washer Pro

 

You may have to enable hidden files to find all the files.

 

Then reboot into normal mode.

Download VX2 finder.

http://tools.zerosrealm.com/VX2Finder.exe

 

Open VX2 finder

Click the find vx2 button

click the make log button.

 

Post the vx2 finder log along with another hijackthis log.

Share this post


Link to post
Share on other sites

Here are my new logs

 

Log for VX2.BetterInternet File Finder

 

Files Found---

C:\WINDOWS\System32\2ddsrch.dll

C:\WINDOWS\System32\2edsrch.dll

C:\WINDOWS\System32\2hdsrch.dll

C:\WINDOWS\System32\2jdsrch.dll

C:\WINDOWS\System32\2kdsrch.dll

C:\WINDOWS\System32\2ldsrch.dll

C:\WINDOWS\System32\2ndsrch.dll

C:\WINDOWS\System32\2odsrch.dll

C:\WINDOWS\System32\2udsrch.dll

C:\WINDOWS\System32\2wdsrch.dll

C:\WINDOWS\System32\2ydsrch.dll

C:\WINDOWS\System32\6bo4svc.dll

C:\WINDOWS\System32\6jo4svc.dll

C:\WINDOWS\System32\6ko4svc.dll

C:\WINDOWS\System32\6mo4svc.dll

C:\WINDOWS\System32\6no4svc.dll

C:\WINDOWS\System32\6so4svc.dll

C:\WINDOWS\System32\ablui.dll

 

 

Guardian Key--- is called: GuardianTGTYW

Asynchronous 000

DllName C:\WINDOWS\system32\2wdsrch.dll

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {FE328E87-6F39-4BC7-AC23-E8AF66D9EEA3}

IDex DS3

 

User Agent String---

{FE328E87-6F39-4BC7-AC23-E8AF66D9EEA3}

 

 

Logfile of HijackThis v1.97.7

Scan saved at 1:50:22 AM, on 6/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\SYSTEM32\rundll32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\PhoneTools\CapFax.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\msiexec.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\Notepad.exe

C:\Documents and Settings\Lisa Crigger\My Documents\internet\ANTIVIRUS\HijackThis.exe

Share this post


Link to post
Share on other sites

The first thing I need you to do is download and install adaware. Check to make sure you have the current updates.

 

http://www.computercops.biz/downloads-file-292.html

 

Open the VX2 finder program again.

Click "Click To find Find VX2.Abetterinternet" button.

Select all the files found.

Click the 'Delete These Files' button

 

The program will delete all files but one that will be deleted on reboot.

Allow program to reboot.

 

Once Restarted:

Click 'Guardian.reg'.

Click 'User Agent'.

Click 'Restore Policy'.

 

You need to answer yes to the popups following each of these.

 

Close VX2 finder.

Open adaware.

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:

check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:

Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"

- Check option "Activate In-Depth Scan"

- Press "Select drives\folders to scan"

- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...

It will find a number of "bad" files and registry keys.

Right-click in that pane and choose "select all"

Now press "Next" again.

It will ask you whether you'd like to remove all checked items. Click OK.

 

Then post your new VX2 finder log and another hijackthis log. Make sure you post your entire hijackthis log.

Share this post


Link to post
Share on other sites

I just wanted to thank you for helping me get this far!!!

 

Log for VX2.BetterInternet File Finder

 

Files Found---

 

 

Guardian Key--- is called: GuardianKARIR

Asynchronous 000

DllName C:\WINDOWS\system32\2wdsrch.dll

Impersonate 000

Logon WinLogon

Logoff WinLogoff

Version 124

ID {FE328E87-6F39-4BC7-AC23-E8AF66D9EEA3}

IDex DS3

 

User Agent String---

{FE328E87-6F39-4BC7-AC23-E8AF66D9EEA3}

 

 

Logfile of HijackThis v1.97.7

Scan saved at 4:10:39 PM, on 6/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\PhoneTools\CapFax.EXE

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\WINDOWS\System32\ZoneLabs\vsmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Program Files\Yahoo!\Messenger\ypager.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Lisa Crigger\My Documents\internet\ANTIVIRUS\HijackThis.exe

C:\WINDOWS\System32\Notepad.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pregnancy.org/pregnancycalendar/month_page.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

O1 - Hosts: 207.36.196.189 auto.search.msn.com

O1 - Hosts: 207.36.196.189 search.netscape.com

O1 - Hosts: 207.36.196.189 ieautosearch

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE

O4 - HKLM\..\Run: [EasyMessage] C:\Program Files\APNI.NET MESSENGER\em2.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [eanth_critical_update_alert] C:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5...b?1083886724812

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab

O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4019/ftp...23/cpbrkpie.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7660.8832291667

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB

O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by8fd.bay8.hotmail.msn.com/activex/HMAtchmt.ocx

Share this post


Link to post
Share on other sites

Sorry I was out of town for a couple days and couldn't get back to your reply.

 

Post new VX2 finder and hijackthis logs, so I can see if anything has changed since your last log.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0