• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
dyz

HTML in log

10 posts in this topic

Hello, can you please take a look at my log? it contains a bunch of html stuff and when windows starts up windows explorer always starts to the system32 directory. Thanks a lot!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:13:05 PM, on 6/20/2002

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\utils\McAfee VirusScan 7.00\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\utils\McAfee VirusScan 7.00\VsStat.exe

C:\utils\McAfee VirusScan 7.00\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\utils\McAfee VirusScan 7.00\Avconsol.exe

C:\WINDOWS\System32\devldr32.exe

C:\internet\Mozilla\mozilla.exe

C:\Program Files\Outlook Express\msimn.exe

C:\internet\Trillian\trillian.exe

C:\utils\Winamp 5 Beta 2\winamp.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Filmmaking\Adobe\Photoshop CS\Photoshop.exe

C:\DOCUME~1\DYZZY&~1\LOCALS~1\Temp\~e5d141.tmp

C:\WINDOWS\System32\notepad.exe

C:\utils\Spyware & Antivirus\Hijackthis\HijackThis.exe

C:\WINDOWS\regedit.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.com/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: Shell=

O1 - Hosts: 216.177.73.139 auto.search.msn.com

O1 - Hosts: 216.177.73.139 search.netscape.com

O1 - Hosts: 216.177.73.139 ieautosearch

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {53526538-28A2-0518-EC54-81E211148042} - C:\WINDOWS\System32\ovxiapsn.dll

O2 - BHO: (no name) - {6A3B967D-7AC9-B59B-17E4-A4E111EB03F4} - C:\WINDOWS\System32\isuosuxo.dll

O2 - BHO: (no name) - {6A631274-92F7-0D28-96DD-91DE782BB968} - C:\WINDOWS\System32\oyfbbpqc.dll

O2 - BHO: (no name) - {AA87BF46-16DE-7541-430F-6EA7DB34C50D} - C:\WINDOWS\System32\pylidhie.dll

O2 - BHO: (no name) - {FFB0D0BF-1B9D-EEE2-3C03-A2D020EA5C65} - C:\WINDOWS\System32\gboesuvd.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\utils\McAfee VirusScan 7.00\VSCShellExtension.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [WebInstall2] C:\Program Files\ClipGenie\WebInstall.exe /R

O4 - HKLM\..\Run: [dritverquery.exe] C:\WINDOWS\System32\dritverquery.exe

O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKLM\..\Run: [4@4CMGY2NJ3HZB] C:\WINDOWS\System32\PkrO0Z54.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7685.7191782407

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Can someone please confirm that it is safe to delete the following entries containing html stuff?:

 

 

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKLM\..\Run: [4@4CMGY2NJ3HZB] C:\WINDOWS\System32\PkrO0Z54.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

 

I dont think this one should be in here either:

O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe

 

 

Thanks!

Share this post


Link to post
Share on other sites

i doubt u need this

 

C:\DOCUME~1\DYZZY&~1\LOCALS~1\Temp\~e5d141.tmp

 

as for the rest, get rid of all but the bold, it looks like an adware script, or possibly a trick to dl a trojan

 

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKLM\..\Run: [4@4CMGY2NJ3HZB] C:\WINDOWS\System32\PkrO0Z54.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

MSN messenger, keep this

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

Share this post


Link to post
Share on other sites

You have the Peper trojan, which requires special treatment to put it out of your misery!

Please download and run this uninstaller.

 

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: Shell=

O1 - Hosts: 216.177.73.139 auto.search.msn.com

O1 - Hosts: 216.177.73.139 search.netscape.com

O1 - Hosts: 216.177.73.139 ieautosearch

O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com

O2 - BHO: (no name) - {53526538-28A2-0518-EC54-81E211148042} - C:\WINDOWS\System32\ovxiapsn.dll

O2 - BHO: (no name) - {6A3B967D-7AC9-B59B-17E4-A4E111EB03F4} - C:\WINDOWS\System32\isuosuxo.dll

O2 - BHO: (no name) - {6A631274-92F7-0D28-96DD-91DE782BB968} - C:\WINDOWS\System32\oyfbbpqc.dll

O2 - BHO: (no name) - {AA87BF46-16DE-7541-430F-6EA7DB34C50D} - C:\WINDOWS\System32\pylidhie.dll

O2 - BHO: (no name) - {FFB0D0BF-1B9D-EEE2-3C03-A2D020EA5C65} - C:\WINDOWS\System32\gboesuvd.dll

 

O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINDOWS\System\WINSTA~1.EXE -b

O4 - HKLM\..\Run: [dritverquery.exe] C:\WINDOWS\System32\dritverquery.exe

O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE

O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKLM\..\Run: [4@4CMGY2NJ3HZB] C:\WINDOWS\System32\PkrO0Z54.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>

O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32\ <TITLE>Error</TITLE>

O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>

O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>

O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINDOWS\System32\The site you have requested doesn't exist.

O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINDOWS\System32\The associated domain name has probably been reserved by a client from

O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINDOWS\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.

O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [rate.exe] C:\WINDOWS\System32\i11r54n4.exe

Reboot and delete

 

files

C:\WINDOWS\System\WINSTA~1.EXE

C:\WINDOWS\System32\dritverquery.exe

C:\WINDOWS\System32\PkrO0Z54.exe

C:\WINDOWS\System32\i11r54n4.exe

folders

C:\PROGRA~1\AUTOUP~1

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

Thank you both so much, I followed your advice and it worked perfectly. I didn't have the files you said to delete (not even hidden), but I did delete the directory. Here is the new hijak log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:11:00 PM, on 6/22/2002

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\utils\McAfee VirusScan 7.00\Avsynmgr.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\utils\McAfee VirusScan 7.00\VsStat.exe

C:\utils\McAfee VirusScan 7.00\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\utils\McAfee VirusScan 7.00\Avconsol.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\devldr32.exe

C:\utils\Spyware & Antivirus\Hijackthis\HijackThis.exe

C:\internet\Mozilla\mozilla.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.slashdot.com/

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\utils\SPYWAR~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\utils\McAfee VirusScan 7.00\VSCShellExtension.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: AIM (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7685.7191782407

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

 

My next project is my wife's computer which is what led me to finally clear mine up. It's quite a bit worse, i'll be posting a hijak log of it soon. Thanks again for the help!!

Share this post


Link to post
Share on other sites

I've been trying for a while to clean this computer up, but it still has malware. One problem that I can identify is that CWShredder removes CWS.Yexe every time I run it, but it is always back. Here is my hijak log, thank you for looking at it!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:23:31 PM, on 6/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\utils\CD Burning Software\Daemon Tools 3.41\daemon.exe

C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINDOWS\System32\services\exploit.exe

C:\Program Files\Ovulation Calendar\ovucal.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\services\oops.exe

C:\WINDOWS\SYSTEM\teen.exe

C:\WINDOWS\System32\wuauclt.exe

C:\utils\Spyware & Antivirus\cwshredder\CWShredder.exe

C:\internet\Mozilla\mozilla.exe

C:\utils\Spyware & Antivirus\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)

F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\utils\CD Burning Software\Daemon Tools 3.41\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe

O4 - Startup: Ovulation Calendar.lnk = C:\Program Files\Ovulation Calendar\ovucal.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

I've been trying for a while to clean this computer up, but it still has malware. One problem that I can identify is that CWShredder removes CWS.Yexe every time I run it, but it is always back. Here is my hijak log, thank you for looking at it!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:23:31 PM, on 6/22/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\utils\CD Burning Software\Daemon Tools 3.41\daemon.exe

C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe

C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe

C:\WINDOWS\System32\services\exploit.exe

C:\Program Files\Ovulation Calendar\ovucal.exe

C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe

C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe

C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\System32\services\oops.exe

C:\WINDOWS\SYSTEM\teen.exe

C:\WINDOWS\System32\wuauclt.exe

C:\utils\Spyware & Antivirus\cwshredder\CWShredder.exe

C:\internet\Mozilla\mozilla.exe

C:\utils\Spyware & Antivirus\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)

F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\utils\CD Burning Software\Daemon Tools 3.41\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe

O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe

O4 - Startup: Ovulation Calendar.lnk = C:\Program Files\Ovulation Calendar\ovucal.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Hiya, it has been over 72 hours so I thought I'd try replying and see what happens : ) I've yet to make any progress on this problem so any input would be great! Thanks so much in advance!

Share this post


Link to post
Share on other sites

It's been over 144 hours and I haven't recieved help yet. i don't mean to be annoying, I just don't want to be forgot : ) Thanks for any help

 

:techsupport:

Share this post


Link to post
Share on other sites

First:

Launch Notepad, and copy/paste the bold below into a new text file. Save it as fixme.reg and save it on your Desktop.

 

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

 

Locate fixme.reg on your Desktop and double-click on it.

You will receive a prompt similar to: "Do you wish to merge the information into the registry?".

Answer 'Yes' and wait for a message to appear similar to "Merged Successfully".

 

 

Second:

Launch Notepad, and copy/paste the bold below into a new text file.

Save it as fixsearch.reg (Change the 'Save As Type' to 'All Files').

Save it in C:\

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"System"=-

[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]

[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]

[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

 

Locate it (in C:\) and double-click on it (launch it).

You'll receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".

Reboot.

 

Then delete the following file:

C:\windows\system32\system32.dll

 

Third:

Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

 

Check the following items in HijackThis.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/

 

F1 - win.ini: run=C:\WINDOWS\System32\services\exploit.exe

 

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file

O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)

 

O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe

O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\System32\services\exploit.exe

 

Close all windows except HijackThis and click Fix checked.

 

Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)

C:\WINDOWS\System32\services\exploit.exe

 

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406

**Show Hidden and System files and folders

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

 

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

 

Reboot in normal mode.

 

 

Fourth:

You are running an outdated and therefore unsafe version of Internet Explorer.

You NEED to upgrade to IE 6.0 SP1

http://v4.windowsupdate.microsoft.com/en/default.asp

 

(Make sure you get the correct language version for your operating system! ).

 

Next, go to the Windows Update site, and download and install ALL Critical Updates on offer.

That will fix innumerable bugs, update a large number of important system files, and plug many security holes.

 

This step is mandatory if you are to avoid Gaobot, Sasser, and Help file exploits.

 

 

Last:

Run HiJackThis again and post a new log in this thread.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0