Jump to content


Photo

Please don't let the bastards grind me down...HELP


  • Please log in to reply
22 replies to this topic

#1 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 June 2004 - 10:28 PM

Symptoms: my start page changes, typing is slow as well as scrolling the pages, internet is slow, paste/copy function is slow, downloading pages takes forever, pop-ups... Ironicaly (or is it?), most of the pop-ups are the spyware removal commercials :-)
Adware 6.0 has been ran several times but the same problems occure.
Help will be realy appreciated.



Logfile of HijackThis v1.97.7
Scan saved at 05:17:34, on 2004-06-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program\Winamp\Winampa.exe
C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Microsoft Office\Office\OSA.EXE
C:\Program\NORTON~1\navw32.exe
C:\Program\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program\Internet Explorer\iexplore.exe
C:\WINDOWS\REGEDIT.exe
C:\Documents and Settings\BLOBB\Lokala inställningar\Temp\Temporär katalog 2 för hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\Program\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O13 - DefaultPrefix: http://www.myexexex....p?said=pfxp&qq=
O13 - WWW Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Home Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Mosaic Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - FTP Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Gopher Prefix: http://www.myexexex....p?said=pfxp&qq=
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7880.3338310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp

Edited by Slav, 02 June 2004 - 11:14 AM.


#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 01 June 2004 - 10:34 PM

Lets start with CoolWebSearch. Remove it by downloading CWShredder at www.spywareinfo.com/~merijn/files/CWShredder.exe. Save it to ur desktop. Double click it and hit fix. Let it run and hit Exit. Then restart your computer and post a new log :)
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 01 June 2004 - 11:20 PM

I have done that and the mesage was not infected/not present.
I may be should say that start page has changed into C:\spad now. I still do have my Internet options functioning at Tools though. (but that doesn't help to change the page of course)

new log:

Logfile of HijackThis v1.97.7
Scan saved at 06:19:32, on 2004-06-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program\Winamp\Winampa.exe
C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Microsoft Office\Office\OSA.EXE
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\BLOBB\Lokala inställningar\Temp\Temporär katalog 3 för hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O13 - DefaultPrefix: http://www.myexexex....p?said=pfxp&qq=
O13 - WWW Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Home Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Mosaic Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - FTP Prefix: http://www.myexexex....p?said=pfxp&qq=
O13 - Gopher Prefix: http://www.myexexex....p?said=pfxp&qq=
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7880.3338310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp

Edited by Slav, 01 June 2004 - 11:22 PM.


#4 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 12:45 AM

please help me somebody, I need my computer back...

Edited by Slav, 02 June 2004 - 08:30 AM.


#5 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 08:33 AM

OK. now I know: it's not "Please", it's BUMP :p

Edited by Slav, 02 June 2004 - 08:57 AM.


#6 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 10:50 AM

BUMP

#7 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 01:24 PM

I couldn't do what you asked me for becouse now it can't find Note Pad! What to do?

#8 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 02 June 2004 - 01:40 PM

One thing at a time ...

Copy the contents of the quote box to notepad.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CLASSES_ROOT\CLSID\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B}]
[-HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]

Select "File" => "Save As" and give it the name clear.reg. Under the filename change save as type to all files and save it to the desktop. Close notepad. Double click the clear.reg file and when asked to merge say yes. Reboot.
Delete the following:
  • C:\documents and settings\(username)\LOCAL Settings\Temp <= Delete all the contents but not the folder itself.
  • C:\WINDOWS\System32\c_10230.dll
  • c:\spad <= Delete this folder
Then load up hijackthis and fix these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myexexex.com/searchbar.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myexexex....aid=spage&qq=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/spad/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.myexexex....aid=spage&qq=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.myexexex.....php?said=spage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myexexex.....php?said=spage

Please post a new hijackthis log when done.

#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 02 June 2004 - 01:41 PM

I forgot to add first step ...
Please create a new directory C:\HJT and move the HijackThis.exe file into that directory and only run it from there. That way we can ensure that we have the backup files aavilable in the event that they are needed.

#10 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 01:44 PM

My computer can't find NotePad.exe! What do I do then? Would WordPad do? Does it matter? Sorry, don't know much about all those things....

Edited by Slav, 02 June 2004 - 01:52 PM.


#11 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 01:48 PM

I've done the first step though... What do I do next? How to go about Note Pad?

#12 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 02:13 PM

ok check c:\windows for notepad.exe

it should be there about 65kb.
check c:windows\system32 for notepad
you should find it missing.

Copy the one from windows over to system32 so its in both.



#13 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 02 June 2004 - 02:13 PM

Please surf to http://www.billsway.com/vbspage/ and scroll down to Registry Search Tool. Download, unzip and run RegSrch.vbs

Copy and paste this in the dialog box: changes_homepage.dll

After a while a prompt will come up. Click OK to write the results to wordpad and post them.
Posted Image

#14 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 03:04 PM

ok, fixed with notepad, sorry, just me being stupid probably...
Here comes the 8th option (my ieextensions) that shadowwar asked me for before:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2222A5CF-2611-40C6-9CC3-AF0BE9001E91}]
"clsid"="{2222A5CF-2611-40C6-9CC3-AF0BE9001E91}"
"BandCLSID"="{7629CFA4-3FE5-101B-A3C9-08002B2F49FB}"
"ButtonText"="Microsoft® JavaScript® Console"
"Default Visible"="No"
"HotIcon"="@shdoclc.dll,36"
"MenuStatusBar"="@shdoclc.dll,-865"
"MenuText"="JavaScript Console"
"ToolTip"="Opens JavaScript Console"
"ImageFilename"="shdocvw.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}]
"clsid"="{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{869EE607-5376-486d-8DAC-EDC8E239AD5F}]
"clsid"="{869EE607-5376-486d-8DAC-EDC8E239AD5F}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}]
@=""
"ButtonText"="ICQ 4.0"
"MenuText"="ICQ Lite"
"Default Visible"="YES"
"Exec"="C:\\Program\\ICQLite\\ICQLite.exe"
"Icon"="C:\\Program\\ICQLite\\ICQLite.exe,1040"
"HotIcon"="C:\\Program\\ICQLite\\ICQLite.exe,1040"
"clsid"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

#15 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 03:44 PM

The RegSrch wouldn't run. I get a message from Windows Script Host:
line: 8
letter: 12
error: amount is not supported (or the object has been deleted)
Code: 80040111,
or something like that (since I don't get the message in english I had to translate it) :-)
What do I do next?
Should I follow PGPhantom's advice and do what he wrote above?

#16 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 04:09 PM

please do what pgphanton suggested and also daemon.



#17 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 02 June 2004 - 04:27 PM

:love: It seems to be working right now!, and I'm overly happy.
In such case thank you all guys so much for your help and patience, you are doing a great job and it's really appreciated (although I do hope I wouldn't have to come back here :D )

Heres the new log, is there anything else there that should be cleaned up?

Logfile of HijackThis v1.97.7
Scan saved at 23:21:10, on 2004-06-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program\Winamp\Winampa.exe
C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Microsoft Office\Office\OSA.EXE
C:\Program\Internet Explorer\iexplore.exe
C:\Documents and Settings\BLOBB\Lokala inställningar\Temp\Temporär katalog 1 för hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7880.3338310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp

Thank you.

#18 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 02 June 2004 - 04:32 PM

Yeah you have a bunch more stuff. Please stay away from questionable sites till we get you all cleaned up and get some protections in place.


Please close all windows and internet explorers. Check mark the following items only in Hijackthis.
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [mswspl] C:\Program\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\windows\win.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O19 - User stylesheet: C:\WINDOWS\win32.bmp



Click the fix button. Close hijackthis.

Reboot and show hidden files and folders per the link in my signature.
Please delete the following files or folders.

Files:
C:\WINDOWS\win32.bmp
c:\windows\win.exe
C:\WINDOWS\System32\services\wmplayer.exe
C:\Program\Windows Media Player\wmplayer.exe
Folders:




You are going to have to reinstall media player 9 as its infected.

Run a new log and post it here



#19 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 02 June 2004 - 04:38 PM

Just a comment - You did not move HijackThis into a new directory c:\HJT. It is always suggested just in case we need to restore any deleted entries.

#20 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 03 June 2004 - 01:57 AM

I can't delete C:\Program\Windows Media Player\wmplayer.exe it keeps coming back in 5-6 seconds. The folder contains some "migrate" program with 764 kb, should it be there?
My start page changes now into some martfinder or something and then to blank
Also some palazzo situation + this X shortcut on the desktop that someone else has mentioned.

#21 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 03 June 2004 - 02:00 AM

By the way what am i beeing warned for? (Warn: (0%) ) Just curious...
New log: Logfile of HijackThis v1.97.7
Scan saved at 08:59:04, on 2004-06-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Winamp\Winampa.exe
C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Microsoft Office\Office\OSA.EXE
C:\Program\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7880.3338310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

#22 shadowwar

shadowwar

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 1,361 posts

Posted 03 June 2004 - 07:26 AM

By the way. Only you can see the warn indicator unless you are actually warned for posting an offensive post. 0 means you are not warned.

Ok right click the wmplayer.exe and make sure its properties are by microsoft. Windows file protections may be putting it back.

Please close all Internet explorer's first.

Check and fix these entries:



O9 - Extra button: Microsoft® JavaScript® Console (HKLM)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKLM)
O9 - Extra button: Microsoft® JavaScript® Console (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console (HKCU)

After checked and fixed Reboot.


Than go into tools.internet options.
go to the temporary internet files section and click the delete files button.

Post a new log when done.


Also go to add or remove programs and uninstall p2p networking. Its unneeded.



#23 Slav

Slav

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 03 June 2004 - 03:49 PM

Everything seems to be working just fine right now.
The pallazzo cazino and the purple X icon didn't show up during the last 24 hours

Once again many thanks to all who helped and especialy to you Shadowwar.

Here is the last log:

Logfile of HijackThis v1.97.7
Scan saved at 22:46:19, on 2004-06-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\Program\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program\NORTON~1\navapw32.exe
C:\Program\Winamp\Winampa.exe
C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
C:\Program\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\Atiptaxx.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ICQLite\ICQLite.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\Microsoft Office\Office\OSA.EXE
C:\Program\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\Program\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\Program\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [TimeUp] C:\Program\TimeUp\TimeUp.exe /T
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ICQ Lite] C:\Program\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
O9 - Extra button: ICQ 4.0 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7880.3338310185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button