Jump to content


Photo

Many Problems


  • Please log in to reply
4 replies to this topic

#1 FutureHypoon

FutureHypoon

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 01:36 PM

My computer is suffering many problems.

1. When I search google, I get Lycos pop-up search results.
2. I am able to run almost no exe's that are installers. No error messages. The installers simply wont start. I only know of one or two that I've been able to run.
3. My homepage is reset every 1-2 minutes to http://your-searcher.com/index.htm and four seeming pornographic (based on the titles) web pages are added to my favorites, also on the 1-2 minute cycle.
4. Around 25 processes that I've found out (based on experimentally shutting down) I don't need reappear in my process list, sometimes when I first boot up, other times every minute. Note: My HijackThis log was taken after I had already shut down all the processes I don't need, yet some of them have come back.
5. My internet connection keeps shutting itself off. I have to cut power to both my router and my DSL modem to get myself back online, which I had to do right before I posted this. It seems to do it when I am on anti-malware sites like this one.
6. I cannot run Norton Antivirus, no error message, just wont start.

Here is my HijackThis log, please check it for anything suspicious.

Logfile of HijackThis v1.97.7
Scan saved at 1:02:01 PM, on 6/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Anjnia32.exe
C:\WINNT\System32\win64.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\ftp.exe
C:\WINNT\System32\devldr32.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F0 - system.ini: Shell=Explorer.exe C:\WINNT\system32\fservice.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\system32\fservice.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NETAPI] C:\WINNT\System32\NETAPI.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [M4.exe] C:\winnt\temp\M4.exe
O4 - HKLM\..\Run: [2ak3.exe] C:\winnt\temp\2ak3.exe
O4 - HKLM\..\Run: [win_spool2] C:\WINNT\System32\win_spool2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [M4] C:\winnt\temp\M4.exe
O4 - HKLM\..\Run: [2ak3] C:\winnt\temp\2ak3.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [BootWarn] C:\Program Files\Norton Internet Security\Norton AntiVirus\BootWarn.exe /a
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Update Machine] oxbibjw.exe
O4 - HKLM\..\Run: [rn4d] C:\WINNT\System32\f0r0r\kolder.exe C:\WINNT\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [Microsoft IT Update] win64.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] svchostz.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINNT\System32\npcivdfc.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] oxbibjw.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] win64.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] svchostz.exe
O4 - HKCU\..\Run: [WNSI] C:\WINNT\System32\wnscpcc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
O4 - HKCU\..\Run: [Microsoft IT Update] win64.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] svchostz.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab

#2 syrel

syrel

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 June 2004 - 02:33 PM

wow....i hope you arent buying anything online...you have work to do

http://www.pestpatro...rojan_win64.asp
http://www.windowsst...ail.php?id=1250

unless you know what these processes are, kill them if they are running in the system processes list (CTRL+ALT+DEL, PROCESSES tab) and then fix them with hijackthis.

C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Anjnia32.exe
C:\WINNT\System32\win64.exe

C:\WINNT\System32\devldr32.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [NETAPI] C:\WINNT\System32\NETAPI.EXE

O4 - HKLM\..\Run: [M4.exe] C:\winnt\temp\M4.exe
O4 - HKLM\..\Run: [2ak3.exe] C:\winnt\temp\2ak3.exe
O4 - HKLM\..\Run: [win_spool2] C:\WINNT\System32\win_spool2.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [M4] C:\winnt\temp\M4.exe
O4 - HKLM\..\Run: [2ak3] C:\winnt\temp\2ak3.exe

O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe

O4 - HKLM\..\Run: [Microsoft Update Machine] oxbibjw.exe
O4 - HKLM\..\Run: [rn4d] C:\WINNT\System32\f0r0r\kolder.exe C:\WINNT\System32\f0r0r\dirote.exe
O4 - HKLM\..\Run: [Microsoft IT Update] win64.exe
O4 - HKLM\..\Run: [Microsoft Windows Updater] svchostz.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINNT\System32\npcivdfc.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] oxbibjw.exe
O4 - HKLM\..\RunServices: [Microsoft IT Update] win64.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] svchostz.exe

O4 - Global Startup: winlogin.exe

O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsorad...sWebTelecom.cab

restart and see what happens
The Daily Titan - Your personal webMASTER

#3 syrel

syrel

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 June 2004 - 02:35 PM

ps...this belongs in the malware removal forum...
The Daily Titan - Your personal webMASTER

#4 FutureHypoon

FutureHypoon

    Member

  • New Member
  • Pip
  • 2 posts

Posted 22 June 2004 - 04:08 PM

Should I post a reply to this with my new HijackThis log, after I did what you said?

#5 syrel

syrel

    Member

  • Full Member
  • Pip
  • 19 posts

Posted 22 June 2004 - 04:48 PM

yes, to ensure the bugs are not still being loaded, and compare your computer's performance, see if the same things are still happening...
The Daily Titan - Your personal webMASTER




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button