I'M DESPERATE!!! (merged)

Discussion in 'adware, spyware & hijack cleaning' started by domah, Jun 27, 2004.

Thread Status:
Not open for further replies.
  1. domah
    Offline

    domah Registered Member

    I'M DESPERATE!!!

    i had a hot xxx dialer and program installed on my compuer, and i can't get rid of it, i tried everythin, i even read someoen's else's post about the smae problem, and i tried what they were told to do, but ti dnd't work for me, did safe mood and everythin, here's my hijackthis log, anyone at all please help me!!!!
    Logfile of HijackThis v1.97.7
    Scan saved at 22:38:41, on 27/06/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\svchost.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\r_server.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\NORMAN\nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\nvc\BIN\nvcoas.exe
    C:\NORMAN\nvc\BIN\NVCSCHED.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\LXSUPMON.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINNT\loadqm.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\shman.exe
    C:\Program Files\Webroot\Accelerate\accelerate.exe
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\System32\windll32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
    C:\DOCUME~1\domah\LOCALS~1\Temp\lesbians.exe
    C:\Documents and Settings\domah\My Documents\My Download Files\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://heeryz.t.rack.cc/sp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: (no name) - {82BC47E6-D966-4B4A-87BA-C95780CDBF6C} - (no file)
    O3 - Toolbar: SE-Toolbar - {691AFBC1-3C46-406D-AD22-EB3A0F665FC1} - C:\WINNT\system32\setoolbar.dll (file missing)
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OpiStat] C:\PROGRA~1\OpiStat\OpiStat\OpiStat.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QTSvc] C:\WINNT\shman.exe /i
    O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\System32\windll32.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...m/opistat/activex/opinstall_en_4.0.0.17_c.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37934.5048958333
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8075D361-F83C-43C3-9660-FD10E97DEAAE}: NameServer = 193.38.113.3 194.117.157.4

    thank you anyone that can help me!!!
  2. Marianna
    Offline

    Marianna Spyware Fighter

    Re: I'M DESPERATE!!!

    Hi domah

    Download cwshredder here Close all browser windows and click on the fix/next button.

    Check the following items in HijackThis - close ALL windows\browsers except Hijackthis and click "Fix checked":

    C:\WINNT\System32\windll32.exe

    C:\DOCUME~1\domah\LOCALS~1\Temp\lesbians.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet
    Explorer\Search,SearchAssistant = http://heeryz.t.rack.cc/sp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html

    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: (no name) - {82BC47E6-D966-4B4A-87BA-C95780CDBF6C} - (no file)
    O3 - Toolbar: SE-Toolbar - {691AFBC1-3C46-406D-AD22-EB3A0F665FC1} - C:\WINNT\system32\setoolbar.dll (file missing)

    O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\System32\windll32.exe


    Optional:
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    Any idea what this is?
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    If NOT - pls. check!

    O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab


    Then Boot to safe mode: Instructions here

    Make sure you can view hidden and system files: Instructions here

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Delete the following files\folders IF still present:

    C:\WINNT\System32\windll32.exe
    C:\DOCUME~1\domah\LOCALS~1\Temp\lesbians.exe
    C:\WINNT\System32\nzdd.dll

    Then reboot and use AdAware as described here:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Run HJT again and pls. post a FRESH log. Thanks.

    Pls. go to Windows Updates and get all critical patches.
  3. domah
    Offline

    domah Registered Member

    I'M SO DESPERATE!!!

    i've been searching this website to fiind how to get rid of hotxxx. i've read all the posts that u have helped other ppl, and i have tried everything u have told these other ppl to do, but the list of fiels u tell these ppl to delelte, i do not have all of these file, in hijackthis, it is clear that the files are called something else, which is annoyin cos i do not kno wha they are called, lol, could u please please help me, since ur the only person who seems like they know what to do, thank you,darren, ~snipped~ @hotmail .com

    hijckthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 16:34:56, on 28/06/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\svchost.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\r_server.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\NORMAN\nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\nvc\BIN\NJEEVES.EXE
    C:\NORMAN\nvc\BIN\NVCSCHED.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\LXSUPMON.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINNT\loadqm.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\shman.exe
    C:\Program Files\Webroot\Accelerate\accelerate.exe
    C:\WINNT\HotXXX.exe
    C:\WINNT\System32\ctfmon.exe
    C:\WINNT\System32\windll32.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Kazaa Lite\kazaalite.kpp
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\System32\MsiExec.exe
    C:\Documents and Settings\domah\My Documents\My Download Files\hijackthis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =

    C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =

    C:\WINNT\system32\searchbar.html
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

    C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

    files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: (no name) - {82BC47E6-D966-4B4A-87BA-C95780CDBF6C} - (no file)
    O3 - Toolbar: SE-Toolbar - {691AFBC1-3C46-406D-AD22-EB3A0F665FC1} -

    C:\WINNT\system32\setoolbar.dll (file missing)
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

    Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

    files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OpiStat] C:\PROGRA~1\OpiStat\OpiStat\OpiStat.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update

    Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QTSvc] C:\WINNT\shman.exe /i
    O4 - HKLM\..\Run: [Accelerate] C:\Program Files\Webroot\Accelerate\accelerate.exe /S
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\System32\windll32.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKLM\..\RunOnce: [ACMWrapperV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CDEngine\ACMWrapperV2.dll"
    O4 - HKLM\..\RunOnce: [MediaPlayerV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CDEngine\MediaPlayerV2.dll"
    O4 - HKLM\..\RunOnce: [driversV2.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CDEngine\driversV2.dll"
    O4 - HKLM\..\RunOnce: [Cdbootable.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\Cdbootable.dll"
    O4 - HKLM\..\RunOnce: [cdDataPS.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\cdDataPS.dll"
    O4 - HKLM\..\RunOnce: [cdExtra.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\cdExtra.dll"
    O4 - HKLM\..\RunOnce: [cdmp3.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common

    Files\Adaptec Shared\CreatorAPI\cdmp3.dll"
    O4 - HKLM\..\RunOnce: [database.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\database.dll"
    O4 - HKLM\..\RunOnce: [ISO9660.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\ISO9660.dll"
    O4 - HKLM\..\RunOnce: [Joliet.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\Joliet.dll"
    O4 - HKLM\..\RunOnce: [Udf.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program Files\Common

    Files\Adaptec Shared\CreatorAPI\Udf.dll"
    O4 - HKLM\..\RunOnce: [creator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll"
    O4 - HKLM\..\RunOnce: [Translator.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CreatorAPI\Translator.dll"
    O4 - HKLM\..\RunOnce: [CDEngine.dll] c:\winnt\system32\regsvr32.exe /s "C:\Program

    Files\Common Files\Adaptec Shared\CDEngine\CDEngine.dll"
    O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINNT\inf\unregmp2.exe /FixUps
    O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common

    Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O10 - Broken Internet access because of LSP provider 'nmtracer.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

    http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

    http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) -

    http://www.bygames.com/activex/launcher.ocx
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) -

    http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) -

    http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

    http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) -

    http://a14.g.akamai.net/f/14/7141/144000s/download.opistat.com/opistat/activex/opinstall_en_

    4.0.0.17_c.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37934.5048958333
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

    http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -

    http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8075D361-F83C-43C3-9660-FD10E97DEAAE}: NameServer =

    193.38.113.3 194.117.157.4
    Last edited by a moderator: Jun 29, 2004
  4. Marianna
    Offline

    Marianna Spyware Fighter

    Re: I'M SO DESPERATE!!!

    Hi domah

    Check the following items in Hijackthis - close ALL windows\browsers except HijackThis and click "Fix checked":

    C:\WINNT\HotXXX.exe
    C:\WINNT\System32\windll32.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL =

    C:\WINNT\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    C:\WINNT\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant =

    C:\WINNT\system32\searchbar.html
    R3 - Default URLSearchHook is missing

    O3 - Toolbar: (no name) - {82BC47E6-D966-4B4A-87BA-C95780CDBF6C} - (no file)
    O3 - Toolbar: SE-Toolbar - {691AFBC1-3C46-406D-AD22-EB3A0F665FC1} -

    C:\WINNT\system32\setoolbar.dll (file missing)

    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n

    O4 - HKCU\..\Run: [windll32.exe] C:\WINNT\System32\windll32.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office10\OSA.EXE

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

    http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab


    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\WINNT\HotXXX.exe
    C:\WINNT\System32\windll32.exe

    Then reboot and use AdAware as described here:
    http://www.wilderssecurity.com/showthread.php?t=15913

    Now, empty your TEMP Folder / Temporary Internet Files Folder and then empty your "Recycle Bin" and reboot.

    Run an on-line scan:

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Run HJT again and pls. post a FRESH log. Thanks.

    Could you pls. copy\paste the new log "as is" ? Thanks :)
  5. domah
    Offline

    domah Registered Member

    hey, none of the stuff u told me to do worked at all, thought it did, but it didn't, it came back, i was jus tryin to post a fresh hijackthis log and it came back on and cut me off, lol, so here is the newesst fresh log, as is:

    Logfile of HijackThis v1.97.7
    Scan saved at 13:55:14, on 30/06/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\svchost.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\r_server.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\NORMAN\nvc\BIN\nvcoas.exe
    C:\NORMAN\nvc\BIN\NJEEVES.EXE
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\nvc\BIN\NVCSCHED.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\LXSUPMON.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINNT\loadqm.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\shman.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINNT\ukc.exe
    C:\DOCUME~1\domah\LOCALS~1\Temp\lesbians.exe
    C:\Documents and Settings\domah\My Documents\My Download Files\hijackthis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OpiStat] C:\PROGRA~1\OpiStat\OpiStat\OpiStat.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QTSvc] C:\WINNT\shman.exe /i
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...m/opistat/activex/opinstall_en_4.0.0.17_c.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37934.5048958333
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

    and no i don't kno what those two things that u asked me about are, i didn't delete them tho so don't worry. please help me, bnothin is working, and it jus comes on to computer again n again, i'm gona kill my dad for goin on that stupid website, lol, pleas help as soon as u can, cos i need to do my psychology coursework, and can't do it when i keep gettin cut off the internet, thank you darren. x x x
  6. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi domah,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [QTSvc] C:\WINNT\shman.exe /i
    O4 - HKLM\..\Run: [HotXXX] C:\WINNT\HotXXX.exe -n

    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/aplicacion.cab

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

    Then reboot into safe mode and delete:
    C:\WINNT\shman.exe
    C:\WINNT\HotXXX.exe
    C:\DOCUMENTS AND SETTINGS\domah\LOCAL SETTINGS\Temp\lesbians.exe

    The Local Settings folder is hidden by default.
    See HERE for how to show hidden files/folders.

    Regards,

    Pieter
  7. domah
    Offline

    domah Registered Member

    hey, i've jus done what u said, but their isa problem that worries me, there is still no dial tone when i conthe internet, and also the xxxserver dialer is still present, what should i do? and what's still wrong? here's my new log....
    Logfile of HijackThis v1.97.7
    Scan saved at 14:37:07, on 30/06/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\svchost.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\r_server.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\NORMAN\nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\nvc\BIN\NJEEVES.EXE
    C:\NORMAN\nvc\BIN\NVCSCHED.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\LXSUPMON.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINNT\loadqm.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\domah\My Documents\My Download Files\hijackthis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OpiStat] C:\PROGRA~1\OpiStat\OpiStat\OpiStat.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...m/opistat/activex/opinstall_en_4.0.0.17_c.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37934.5048958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8075D361-F83C-43C3-9660-FD10E97DEAAE}: NameServer = 193.38.113.3 194.117.157.4

    get back to em please! darren
  8. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    The dial tone was probably disabled by the dialer. That should be correctable in the modem settings somewhere.

    What worries me more is that the dialer is still active. Or did you mean that the connection is still present on the connections tab of IE?

    Regards,

    Pieter
  9. domah
    Offline

    domah Registered Member

    hey,

    what i meant was that the dialer was still present in my network connections window, so when i open control panel, network connections, and the xxxserver dialer is still there, how do i change the modem settings to go back to being able to hear the dailing tone?
  10. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    In the connections window you should be able to rightclick and remove it now.

    Then click Start > Setting > Control Panel > Phone and Modem > highlight the modem that requires configuring. Then select Properties.
    On the general tab there should be a Volume slide. That is probably on the left hand side. Move it to the right.

    Regards,

    Pieter
  11. domah
    Offline

    domah Registered Member

    hey, thanks so much for ur help, i think it is finally gone, altho it took some takin it is finally gone, or so appears so, lol, i still can't get the dial tone to sound, even tho i've changed the volume of the modem peaker to full, my new fresh as is hijackthis log is as follows:

    Logfile of HijackThis v1.97.7
    Scan saved at 22:21:22, on 01/07/2004
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
    C:\WINNT\System32\svchost.exe
    C:\Norman\NVC\BIN\Zanda.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\r_server.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\NORMAN\nvc\BIN\NJEEVES.EXE
    C:\NORMAN\nvc\BIN\nvcoas.exe
    C:\NORMAN\Nvc\BIN\nipsvc.exe
    C:\NORMAN\nvc\BIN\NVCSCHED.EXE
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\LXSUPMON.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    C:\WINNT\loadqm.exe
    C:\NORMAN\Nvc\BIN\ZLH.EXE
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\NORMAN\Nvc\BIN\cclaw.exe
    C:\NORMAN\Nvc\BIN\NYMSE.EXE
    C:\NORMAN\Nvc\BIN\NIP.EXE
    C:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Kpe\kpe.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Documents and Settings\domah\My Documents\My Download Files\hijackthis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OpiStat] C:\PROGRA~1\OpiStat\OpiStat\OpiStat.exe
    O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Global Startup: BTTray.lnk = C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: @btrez.dll,-4015 (HKLM)
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://dial.blueyonder.co.uk/
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...m/opistat/activex/opinstall_en_4.0.0.17_c.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37934.5048958333
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8075D361-F83C-43C3-9660-FD10E97DEAAE}: NameServer = 193.38.113.3 194.117.157.4

    thanks again for all ur help, darren.
  12. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

  13. domah
    Offline

    domah Registered Member

    hey, yeah thanks for that, but i guess it's not rrealy a problem, since i have cleaned my computer of spyware, i have had some problems with it, the opistat won't work anymore, whatever that is, and also my svchost.exe keeps goin, which means that i can't open links and it's very annyoin since it happens every 5 mins adn i have to rezstart all the time, also my real download won't work at all, it says to reinstall teh product, adn i went onto real networks website but i couldn't find it, do u have any ideas on how to get my real download to work again and how to make my svchost stop goin all the timeo_O thanks, darren.
Thread Status:
Not open for further replies.