Jump to content


Photo

I need to finally ask for help,


  • Please log in to reply
21 replies to this topic

#1 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 June 2004 - 06:19 PM

Hi , I am new here.
Sorry if this is a stupid post but I have read thru all the FAQ's and gone thru extensive posts already. I still have a DSO exploit and had VX2/F but I think I have gotten rid of that and gained an Enliven instead, I have put on spybot, and at first had over 60 some entries, then I installed hijackthis ( in its own folder) and Spy blaster and just tried to download Mozilla.

I currently use IE. I received a box that said:
C:\Documentsandsettings\Mommy\LocalSettings\TempopraryInternetFiles\Content.IE51Wo2YS6Q\Mozilla-Win32-1.6installer[1].exe"is not a valid win32 application.
I use the MSN toolbar w/the pop up blocker and still receive ads.

I have also went in and enabled the LAN firewall I had it diabled because it kept messing up my online math course from school.,
I also use the Norton Antivirus which keeps coming up clean.

Last week I did a full system restore but my daughter keeps insisting on downloading yahoo, the mail and all that comes with it, I don't like the extra tool bar so I deleted everything except the mail and chat for her.

When I rebooted earlier I got a weird message that said: Quicktime player , some files associated with quicktime applications are currently associated with other applications, Should I restore these file types to quicktime?

I clicked on no since I didn't know what it was.

I kept getting ads from saveu

my browser kept turning into a lookalike page for IE that had a savenav name on it , I think I have that problem fixed so far.

here is my highjackthis log
Logfile of HijackThis v1.97.7
Scan saved at 1:08:00 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\btwltpg.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mommy\Local Settings\Temporary Internet Files\Content.IE5\TB7Q722V\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [uydnloytwilm] C:\WINDOWS\System32\btwltpg.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABAE0B7-7D3D-4960-AD48-B97E2022403F}: NameServer = 205.231.144.10,205.231.144.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20

I also was getting a box that said something like spyware cookie disabled? I can't remeber what it was exactly exactly word for word

Any and all help would be appriciated
Thank You
Vicky

#2 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 12 June 2004 - 06:57 PM

First uninstall Spykiller and get
Ad-Aware
Download the latest version of Ad-Aware at ADAWARE


How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Edited by billiebob, 12 June 2004 - 06:59 PM.


#3 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 June 2004 - 08:08 PM

I forgot to reconfigure the settings, BRB

Edited by yoga1st, 12 June 2004 - 08:12 PM.


#4 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 12 June 2004 - 08:31 PM

Ok here are the results


Logfile of HijackThis v1.97.7
Scan saved at 6:32:05 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\btwltpg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mommy\My Documents\HijackThis own floder.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [uydnloytwilm] C:\WINDOWS\System32\btwltpg.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABAE0B7-7D3D-4960-AD48-B97E2022403F}: NameServer = 205.231.144.10,205.231.144.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20

#5 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 13 June 2004 - 03:46 AM

I'm sorry i meant to add this for you to run the last time to.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

#6 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 13 June 2004 - 03:48 AM

When I rebooted earlier I got a weird message that said: Quicktime player , some files associated with quicktime applications are currently associated with other applications, Should I restore these file types to quicktime?

You are right to say no that is just Quick Time wanting to take over all media type files on you computer .

#7 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 13 June 2004 - 04:09 AM

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

#8 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 13 June 2004 - 04:10 AM

After CWShredder ,do the following Fixing any that may be left .

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file


Fix This one To get Quick time to stop loading at startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


O4 - HKLM\..\Run: [uydnloytwilm] C:\WINDOWS\System32\btwltpg.ex


O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe


O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


This is a Rescourch Hog and doesent need to be running at startup.Fix It

O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe


Check these to make sure its your IP address showing in them ,if not Fix them
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABAE0B7-7D3D-4960-AD48-B97E2022403F}: NameServer = 205.231.144.10,205.231.144.20

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20




Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\System32\btwltpg.ex ...delete file


C:\WINDOWS\alchem.exe ...delete file


to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

#9 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 13 June 2004 - 04:14 AM

Also a trip to windows updates for critical updates and SP1's
WINDOWS UPDATES


After you get it all fixed and things are working good ,Download and install these two programs to help stop Spyware .


Spywareblaster


SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computerc...tlite7736-.html

Edited by billiebob, 13 June 2004 - 04:14 AM.


#10 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 15 June 2004 - 10:43 PM

here is the new log
vicky


Logfile of HijackThis v1.97.7
Scan saved at 8:41:25 PM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Mommy\Local Settings\Temp\Temporary Directory 1 for Copy of HijackThis own floder.zip\HijackThis own floder.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.emachines.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3ABAE0B7-7D3D-4960-AD48-B97E2022403F}: NameServer = 205.231.144.10,205.231.144.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 205.231.144.10,205.231.144.20

#11 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 15 June 2004 - 11:04 PM

Just wanted to add, I wasn't sure about my ip address,, I don't know where to look to find out what it is but all three of those numbers in the log were all the same,
plus when I booted into safe mode I had an extra log on name called administrator, and when I boot up normal the administrator doesn't show, i think we have 5 different accounts signed up . I just thought it was weird the administrator account doesn't normally show up

#12 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 16 June 2004 - 05:09 AM

Log is OK, that is normal for there to be a Admin acct in safe mode ,you can also get to it on first boot when you get to the screen wheree you choose a user,do this first .hit Alt+ctrl+del 2 or 3 times and it will come up .

This is how you find you IP on xp.
http://compnetworkin...ndaddrwinxp.htm


the IP address belongs to this company is this your ISProvider.
Taconic Technology
OrgID: TACON
Address: 1 Taconic Pl
City: Chatham
StateProv: NY
PostalCode: 12037
Country: US

Edited by billiebob, 16 June 2004 - 05:11 AM.


#13 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 16 June 2004 - 11:34 PM

Thank you
I will go check out my IP addy,, I juts wanted to add, my computer is sooo slow today and I have DSL so it shouln't be slow like this , and I also haev a weird file on my desktop named SXE9.tmp, and it won't let me delete it I looked in the propertys and it was made today, I ma afraid to open it thou. and I just installed the google toolbar and now I have the IE tool bar back up plus I downlowded the moxilla broswer and when I clicked on it , It brought up the IE toolbar and I had already went in and deleted that from everything.
I haven't had any pop-ups so far tonite, thank goodness!
also is there a specific firewall that you would recomend??
thanks again
Vicky

#14 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 17 June 2004 - 12:30 AM

I just wanted to add, I ran the spybot again and I still have the DSO exploit,
and then I ran the adware and it said I had 11 key registries identified, 1 registry value identified, 27 identified files, 17 running processes, 30 objects recognized, and 39 new objects, so I quarentined all of them , there were alot ov VX@, alexa, Tracking co, IML server IE and when u.
I finally got rid of the IE browser so its just Moxilla that pulls up now,
this is frustrating , I should be cleaning the house instead of sitting here!
Vicky

#15 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 17 June 2004 - 03:25 AM

Try booting into Safe mode to delete that file[reboot computer and hold down the f8 key and arrow up to safe mode .and hit enter] ,and if you haven't all ready check out how i got infected in the first place in my signature .

Here is a link discusing the DSO exploit.
http://forums.net-in...showtopic=15308

Edited by billiebob, 17 June 2004 - 03:42 AM.


#16 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 17 June 2004 - 04:16 AM

Thank you
I will go check out my IP addy,, I juts wanted to add, my computer is sooo slow today and I have DSL so it shouln't be slow like this , and I also haev a weird file on my desktop named SXE9.tmp, and it won't let me delete it I looked in the propertys and it was made today, I ma afraid to open it thou. and I just installed the google toolbar and now I have the IE tool bar back up plus I downlowded the moxilla broswer and when I clicked on it , It brought up the IE toolbar and I had already went in and deleted that from everything.
I haven't had any pop-ups so far tonite, thank goodness!
also is there a specific firewall that you would recomend??
thanks again
Vicky

I just use the XP firewall,but on win98 i useto use zone alarm.
http://www.zonelabs....ontent/home.jsp

#17 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 17 June 2004 - 04:26 AM

ok I will try that, and also NO that is not my provider, I am in washington state so I will try and find out what my IP address is
Vicky

#18 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 17 June 2004 - 04:37 AM

my IP address only has 6 numbers and they are all 1's and 0's
does the physical address get attatched to that or the dhcp or dns server #'s?
and sorry if you have already mentioned it but how do I change it back? I finally got the mozilla browser working correctly but now I cannot get my email configured right, my provider keeps sending me a message saying my password is incorrect, I have used this password for years! I will go in and read thru those links you sent, Thank you again for your help because I am clueless when it comes to this stuff.
Vicky

#19 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 17 June 2004 - 08:42 AM

Funny, after rereading a reply from you I realized ~I think anyways~ that you meant to reboot into safe mode and delete the file that was on my desktop, the SXE9.tmp, anyway I went into safe mode and deleted evrything that had DSO exploit that the search pulled up. I had forgotton about that dumb file on my desk op so i just went to delete it and it was already gone, I have no idea how I got rid of it, when I rebooted spybot still found the DSO exploit
and I took a closer look at those IP #'s The numbers in the log are a combination of my DHCP and DSN #'s but my actual IP #'s are not included in it.
Vicky

#20 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 19 June 2004 - 07:42 PM

The dso exploit is ok as long as you ahve the widows updates installed regulary!
http://forums.net-in...showtopic=15308

You can set SpyBot to ignore it when you scan .
Who is you ISProvider!!?
http://www.dozleng.c...p?showtopic=270
In spyBot go to mode alon the top,and click advanced mode ,then click on settings ,then ignore products ,scroll down to DSO Expoite and check the box and exit .

Edited by billiebob, 19 June 2004 - 07:51 PM.


#21 yoga1st

yoga1st

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 20 June 2004 - 02:34 AM

Thank You So Much BillieBob!!!
It is so nice to be able to use this computer without those annoying popups!!
I am really glad that I found this site,, you guys are a great help!!
Thanks again
Vicky

#22 billiebob

billiebob

    Caperjack

  • Retired Staff - Helper
  • PipPipPip
  • 248 posts

Posted 20 June 2004 - 06:28 AM

Thank You So Much BillieBob!!!
It is so nice to be able to use this computer without those annoying popups!!
I am really glad that I found this site,, you guys are a great help!!
Thanks again
Vicky

You are welcome ,Don't forget ,read How I got infected in the first place in my signature ,and use the recomended programs to help stop it from hapening again .




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button