Jump to content


Photo

Taking over browser-tried to fix-help plz


  • Please log in to reply
5 replies to this topic

#1 tripod

tripod

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 June 2004 - 10:54 AM

Here's my log. Thx, hopefully won't have to wipe disk

Logfile of HijackThis v1.97.7
Scan saved at 7:33:55 PM, on 6/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\sysocm.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\devldr32.exe
C:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [VnCplUpdate] "C:\Program Files\Common Files\MSDM\msdm.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 02 June 2004 - 11:13 AM

Hello

Please right click desktop, new-folder. Name it hijackthis, then put the program inside that folder.

Have hijackthis fix the foloowing with no browser windows open:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.191.139/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://69.50.191.139/search.php
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe

reboot computer.

delete the following:
C:\WINDOWS\System32\winupd.exe

Empty recycling bin.

Then in IE. copy and paste this line into the address bar and show me what it gives you:

java script:navigator.userAgent

Then also post a log along with that. Thanks




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#3 tripod

tripod

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 June 2004 - 06:19 PM

okay this is what it said in address bar
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Please let me know if this means anything as I was thinking of loading Mozilla and not deal with IE and all the related probs.

Here's my new log and please let me know what you think...no errors reported from ad-aware!!!!
But I see that the command for winupd is back even though the file has been deleted off my hard drive? And YES you will receive a donation...best damn service around guys!

Logfile of HijackThis v1.97.7
Scan saved at 5:49:44 PM, on 6/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\sysocm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\Documents and Settings\mofo\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [VnCplUpdate] "C:\Program Files\Common Files\MSDM\msdm.exe"
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by tripod, 02 June 2004 - 06:21 PM.


#4 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 02 June 2004 - 06:45 PM

hey

That line i wanted you to copy and paste is clean. I was just checking if L2M was there, but it's not!

Just have hijackthis fix this, it's leftover:

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe


reboot your computer.

Please go to this link, http://v4.windowsupd.../en/default.asp download all updates possible since your system is not patched at all.

Then post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#5 tripod

tripod

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 June 2004 - 07:08 PM

lol, it won't go away. I remove it, and retry hijack to confirm it's gone and it is. I did a search on hardrive...the file is indeed gone. But when I reboot, that line in hijack is back. Is there a command line somewhere in the registry that needs to be deleted?

#6 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 03 June 2004 - 02:38 PM

hey. Let's try this

Run this free online virus scan http://www.trendmicr.../enterprise.htm and see what it finds, delete anything it finds. And just see if winupd.exe comes up. It's part of a mass mailing worm. When you're all done deleting whatever it finds, right click my computer, properties,system restore, check the box to disable it. apply-ok. Restart your computer. when back go back to the same place and uncheck the box, apply-ok. Then post a new hijackthis log so we can check it out.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button