Jump to content


Photo

Major Problems with Computer/Internet


  • Please log in to reply
11 replies to this topic

#1 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 21 June 2004 - 09:56 PM

For the past 4/5 days I have been having major problems with my computer.

My Internet seems to be the source of the problem, everytime I open it up it slows down my computer in general and the BROWSWER windows tend to freeze up on any large websites, sometimes not large ones.

I ran all my virus checkers, and SPYWARE (Spybot and Ad-Ware) and I still get the same problems.

At times I will open a webpage, it will just cause a BLANK WHITE screen int he browswer, then maybe like 3 min later pop up like normal. Meanwhile it seems to slow down my computer operations and in general.

This has been happening since Thursday, and on Saturday everything happened to work perfectly for half a day, then BAM! Back to freezing and making me have to re-start my computer just to use the web for 10 min or so before it freezes.

I really am growing frustrated with how it just keeps freezing and also lately pop-ups have been going up despite my running spyware......

I notice the computer was slow a week or so ago as well, but not this bad. It seem to have gotten worse when I installed Norton Anti-virus etc....

Everytime I try to use the net it pops up all these messages about whether I want to BLOCk or PERMIT interet access every 5 seconds......

Here is my logfile, if anyone can give me any insight on the problem it would be much appreciated.

#2 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 21 June 2004 - 09:57 PM

Logfile of HijackThis v1.97.7
Scan saved at 10:49:00 PM, on 6/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rehphl.exe
C:\WINDOWS\atbfm.exe
C:\WINDOWS\WAST.exe
C:\WINDOWS\System32\SahAgent.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX00.565\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivese....com/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep...rt.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.topfivese.../sidesearch.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.topfivese....com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.topfivese....com/search.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.topfivese....com/search.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50038
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL (file missing)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH13218.DLL (file missing)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: ohb - {18B79968-1A76-4953-9EBB-B651407F8998} - C:\WINDOWS\System32\windec33.dll
O2 - BHO: (no name) - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\SYSTEM32\stlbdist.DLL
O2 - BHO: NavErrRedir Class - {4FC95EDD-4796-4966-9049-29649C80111D} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~2.DLL
O2 - BHO: (no name) - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM32\stlbdist.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\AdRoar.dll
O3 - Toolbar: I-Lookup.com Bar - {6EF3AE25-5A7D-40C2-9B44-9ED0068621C0} - C:\WINDOWS\System32\windec33.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tjjmbi] C:\WINDOWS\System32\rehphl.exe
O4 - HKLM\..\Run: [xttim] C:\WINDOWS\atbfm.exe
O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\websearch\System\Temp\topr1150_script0.htm
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictive...ab/emCraft1.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://download.webs..._50099/QDow.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} (IObjSafety.DemoCtl) - http://cabs.roings.com/cabs/mmed.cab

#3 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 21 June 2004 - 09:58 PM

I also cleared my INTERNET CACHE and that did absolutely nothing.

I have Google Sidebar by choice. And there seems to be some extra searches/spyware I didnt want -- but I dont know how to get rid of.

:(

#4 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 21 June 2004 - 11:03 PM

One MAJOR problem you have is you are several Critical Updates behind from Windows Updates..these are very important to patching your system and keeping Sasser and other baddies off of your computer. Go to Windows Update and get all CRITICAL Updates.

First and foremost you have a CWS infection so...
Please Download CWShredder from HERE .Close all other windows and run the Program. Press the "Fix Button" Let it fix all variants. Next, Close the program and Post a Fresh HijackThis log. Please re-download if you already have this. Make sure you have the latest version!
CWShredder will NOT work with IE/OE/Chat/etc. open; so it very important to make sure CWShredder is the only thing running.


Now download Ad-Aware at http://www.lavasoftu...pport/download/
After installing AAW, and before running the program, FIRST update the reference file following these instructions. (I realize you already have AAW but please follow direction from this point as the default settings are less effective shall we say; then these) On the main AdAware screen hit the Check for Updates, hit the 'Connect' key; it will then connect, check for then ask if you want to download latest Ref. files (if one is available), accept. Once downloaded hit "Finish" (Green Checkmark)

Now do the following:

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
check: "Unload recognized processes during scanning."

- Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
Check: "Let Windows remove files in use after reboot."

Press "Scan Now"

- Check option "Use Custom scanning options"
- Check option "Activate In-Depth Scan"
- Press "Select drives\folders to scan"
- Select the active partition which is usually C:

Now press "Next" to let Ad-aware scan your drives...
It will find a number of "bad" files and registry keys. Click 'Next' again
Right-click in that pane and choose "select all"

If it finds "bad" files and registry keys, press "Next" again
It will ask you whether you'd like to remove all checked items. Click OK.

Finally, close Ad-Aware, and reboot.

Then go here download Spybot S&D. Install Spybot, close all other windows and run it. If you have it already make sure it is version 1.3ALWAYS use the search for update button when you first open Spybot. Let Spybot download and install any updates it finds..Now you are ready to click the Check for problems button. After the search completes let Spybot fix any entries marked in RED

You'll need to turn off the System Restore. It may have a copy of the virus. This can be done by following the instructions of your OS at http://www.vet.com.a...tem_restore.htm.
Run an online virus scan at Housecall and/or Panda Online. Please note any virus found and report back with new log.

Lastly Reboot and post a fresh log back to this thread.

Now that we've got you cleaned up a bit we'll work on getting rid of Wintools and anything else left.
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#5 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 22 June 2004 - 06:56 PM

I ran the AD-WARE, CWS Shredder and my Internet seems to be working OK now.

But I ran the virus test online @ Trend Micro and it picked up a lot of infected files (non-cleanable)

BKDR.SANDBOX.A and TROJ STILEN.A, TROJ SMALL.IL in my Windows Temp and SYSTEM Folders......... 22 total..........between the three.

I never picked these up with Norton either (which ironically slowed my cpu down since I installed it).

I couldnt do the windows update yet cause I still didnt register my XP yet(I used an old serial # but it didnt work on my machine at school, and I forgot the package at home -- so I cant do anything with that for a few days).

What can I do now?

Edited by Nikos, 22 June 2004 - 06:59 PM.


#6 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 22 June 2004 - 06:59 PM

Post a new Hijack This log for me to check please
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#7 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 22 June 2004 - 07:01 PM

Logfile of HijackThis v1.97.7
Scan saved at 8:00:37 PM, on 6/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rehphl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX00.573\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tjjmbi] C:\WINDOWS\System32\rehphl.exe
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\websearch\System\Temp\topr1150_script0.htm
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab

#8 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 22 June 2004 - 07:17 PM

Up to 30 now TROJAN AGENT.BI and TROJ.LALUS.A

Edited by Nikos, 22 June 2004 - 07:19 PM.


#9 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 22 June 2004 - 10:24 PM

Move HijackThis to it's own permanent folder such as c:\HJT\HijackThis.exe <-----Very important; needed to keep/maintain backups in

Reboot to safe mode
(instructions).
Use Ctrl+Alt+Del to 'End Task" on any Wintools that is running.
Open your Control Panel>Add/Remove>Uninstall Wintools>The compuer will want to restart; let it.
Once restarted; fire up HJT again and :...

Press Ctrl+Alt+Del and 'end task' on any of the follow that are present
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\rehphl.exe

Put a check next to these in hijackthis:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50038
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe <---Optional but barely I STRONGLY recommended you remove it.
O4 - HKLM\..\Run: [tjjmbi] C:\WINDOWS\System32\rehphl.exe
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <---Optional but Highly recommended to remove not needed at start and huge resource hog
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\websearch\System\Temp\topr1150_script0.htm
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
-IEPlugin
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/mmed.cab
-Roings Search Hijacker
THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

Make sure you are set to Show Hidden Files and Folders and delete the following files/folders:-
C:\Program Files\Common files\WinTools\ <----ENTIRE FOLDER!!
C:\Program Files\Common files\WinTools\ <----ENTIRE FOLDER!!
C:\Program Files\zSearch\ <----ENTIRE FOLDER!!
C:\Program Files\TV Media\ <----ENTIRE FOLDER!!
C:\Program Files\websearch\ <----ENTIRE FOLDER!!
C:\Program Files\Viewpoint\ <---Optional, only delete if removed above in 04) <----ENTIRE FOLDER!!
C:\WINDOWS\ARUpdate.exe
C:\WINDOWS\System32\idctup20.exe
C:\WINDOWS\System32\bridge.dll
Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)
[*]C:\Windows\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\
[*]Empty your "Recycle Bin"

****Note if you chose to remove Viewpoint Media Player uninstall from Add/Remove also.******

With all of those Virii you'll need to flush out the System Restore. It may have a copy of the virus. This can be done by following the instructions of your OS at http://www.vet.com.a...tem_restore.htm.
Just turn Restore off Reboot turn it back on Reboot

Post a mew HijackThis log
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004

#10 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 23 June 2004 - 12:28 AM

Logfile of HijackThis v1.97.7
Scan saved at 1:27:41 AM, on 6/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security Professional\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\AWS\WeatherBug\Weather.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\default\LOCALS~1\Temp\Rar$EX00.972\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Global Startup: VAIO Action Setup (Server).lnk = C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

#11 Nikos

Nikos

    Member

  • Full Member
  • Pip
  • 61 posts

Posted 23 June 2004 - 12:32 AM

As an aside I couldnt find a few things

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50038

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll


ALSO....

[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\
[*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.
[*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

(the above I couldnt find the exact terms/folder names or MY PROFILE name for that matter wasnt there)

And lastly WINTOOLS seem to be deleted int he processes when i went into safe mode to begin with so I just deleted the folder towards the end and i think that was it.....

Also I turned off restore point.

Now what?

Thanks

#12 jwbirdsong

jwbirdsong

    Slasher O' spyware

  • Emeritus
  • PipPipPipPipPip
  • 2,045 posts

Posted 24 June 2004 - 12:31 AM

Nikos;
(In order)
It's not unusual to not be able to find a entry or two when you re rum HJT ..the one you couldn't find are no worry.

C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
is going to be---> C:\Documents and Settings\Nikos' username\Local Settings\Temporary Internet Files\

Yes Wintools is gone

Make sure System Restore is now back ON
IF you want you can run HJT again and fix this one entry : O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file) <--- the 'no file' means it just a useless empty entry.

You REALLY need to get to Windows Updates and get all Critical Updates

THEN: -----> Congratulations, your log is clean.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

And also see TonyKlein's good advice in
So how did I get infected in the first place?
Things you need(all FREE)
Anti-Virus (Only One of these)
AVG Avast
Firewall (Only One here too)
Kerio(Direct Download) Zone Alarm
Misc. (Use all 3 together)
IE Spyads SpywareBlaster Spyware Guard
Windows Update (Once a week)
get all CRITICAL Updates

Things you want(Still Free)
Mozillia Firefox
Google Toolbar (stops pop-ups)
Ad-Aware
Spybot S&D
MS MVP Hosts file

Please donate to the site to help us help you. Info found HERE

Posted Image
PROUD member Since 2004




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button