Help with log please

Discussion in 'adware, spyware & hijack cleaning' started by bigdinner, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. bigdinner

    bigdinner Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    2
    Hi, I recently have had some spyware issues, can anyone give me a hand with this, it's the first time I've run hijackthis, so I don't know what I'm doing.

    I used Ad-aware to remove spyware.
    Thanks for looking at this. :)

    Here's the log file

    Logfile of HijackThis v1.97.7
    Scan saved at 11:21:09 AM, on 6/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    F:\Program Files\Logitech\iTouch\iTouch.exe
    F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\Microsoft32.exe
    C:\WINDOWS\System32\wuammgr32.exe
    C:\WINDOWS\System32\KernelW32\Anti.exe
    C:\WINDOWS\System32\Config33.exe
    C:\WINDOWS\System32\rxhost.exe
    C:\WINDOWS\System32\Mcafeescn.exe
    C:\WINDOWS\System32\msnmsgr.exe
    C:\WINDOWS\System32\system32.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\rxhost.exe
    C:\WINDOWS\System32\system32.exe
    F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    F:\Program Files\No-IP\DUC20.exe
    C:\WINDOWS\System32\KernelW32\mosso.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.ca"); (C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\2uqrlwb5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\2uqrlwb5.slt\prefs.js)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [85174196.exe] C:\WINDOWS\System32\85174196.exe
    O4 - HKLM\..\Run: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
    O4 - HKLM\..\Run: [Reg_Edited] C:\WINDOWS\System32\KernelW32\Anti.exe
    O4 - HKLM\..\Run: [Config33.exe] Config33.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: [Microsoft Update Machine] rxhost.exe
    O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
    O4 - HKLM\..\Run: [msn] msnmsgr.exe
    O4 - HKLM\..\Run: [System] system32.exe
    O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
    O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] rxhost.exe
    O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
    O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
    O4 - HKLM\..\RunServices: [System] system32.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update Machine] rxhost.exe
    O4 - HKCU\..\Run: [System] system32.exe
    O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
    O4 - HKCU\..\Run: [msn] msnmsgr.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
    O4 - Startup: No-IP DUC.lnk = F:\Program Files\No-IP\DUC20.exe
    O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B340EA5-BFB4-41E5-BDF3-3E2312ABE7A5}: NameServer = 206.47.244.15 206.47.244.43
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    HI bigdinner

    You have several "unwanted guests" on your computer.

    Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
    http://www.wilders.org/anti_trojans.htm

    I also would suggest you run an on-line scan :

    http://housecall.antivirus.com/

    http://www.bitdefender.com/scan/Msie/index.php

    http://www.pandasoftware.es/activescan/activescan-com.asp

    http://www.ravantivirus.com/scan/

    After you are done -

    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.


    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system.

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. bigdinner

    bigdinner Registered Member

    Joined:
    Jun 26, 2004
    Posts:
    2
    Hi, I performed all of the operations requested, and I need to know what to do now. Thanks!

    P.S. - sorry it took so long, I went out of town :(



    Logfile of HijackThis v1.97.7
    Scan saved at 5:13:18 PM, on 7/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    F:\Program Files\Logitech\iTouch\iTouch.exe
    F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\WINDOWS\System32\Mcafeescn.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\system32.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\system32.exe
    F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    F:\Program Files\No-IP\DUC20.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    F:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1526/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1526/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1526/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)
    R3 - Default URLSearchHook is missing
    N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.ca"); (C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\2uqrlwb5.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://F%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Liam\Application Data\Mozilla\Profiles\default\2uqrlwb5.slt\prefs.js)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MessengerPlus2] "F:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [85174196.exe] C:\WINDOWS\System32\85174196.exe
    O4 - HKLM\..\Run: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\Run: [Microsoft Update] automgr32.exe
    O4 - HKLM\..\Run: [Reg_Edited] C:\WINDOWS\System32\KernelW32\Anti.exe
    O4 - HKLM\..\Run: [Config33.exe] Config33.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe
    O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
    O4 - HKLM\..\Run: [msn] msnmsgr.exe
    O4 - HKLM\..\Run: [System] system32.exe
    O4 - HKLM\..\Run: [Syntax] windows32.exe
    O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O4 - HKLM\..\Run: [OS Driver] c:\windows\servicepackfiles\nopdb.exe
    O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] automgr32.exe
    O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
    O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe
    O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
    O4 - HKLM\..\RunServices: [System] system32.exe
    O4 - HKLM\..\RunServices: [Syntax] windows32.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
    O4 - HKCU\..\Run: [System] system32.exe
    O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe
    O4 - HKCU\..\Run: [msn] msnmsgr.exe
    O4 - HKCU\..\Run: [Microsoft Update] automgr32.exe
    O4 - HKCU\..\Run: [Syntax] windows32.exe
    O4 - Startup: No-IP DUC.lnk = F:\Program Files\No-IP\DUC20.exe
    O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O13 - DefaultPrefix: http://nkvd.us/1526/
    O13 - WWW Prefix: http://nkvd.us/1526/
    O13 - Home Prefix: http://nkvd.us/1526/
    O13 - Mosaic Prefix: http://nkvd.us/1526/
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7B340EA5-BFB4-41E5-BDF3-3E2312ABE7A5}: NameServer = 206.47.244.15 206.47.244.43
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi bigdinner

    wow..... did you get infected AFTER you ran the on-line scans??

    Download cwshredder here Close all browser windows and click on the fix/next button.

    Check the following items in Hijackthis - close ALL windows\browsers except Hijackthis and click "fix checked":

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1526/ (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us/1526/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us/1526/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1526/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1526/ (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us/1526/ (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1526/ (obfuscated)
    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll (file missing)
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)

    O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime <-----optional
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <------- optional

    O4 - HKLM\..\Run: [85174196.exe] C:\WINDOWS\System32\85174196.exe

    O4 - HKLM\..\Run: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\Run: [Microsoft Update] automgr32.exe

    O4 - HKLM\..\Run: [Reg_Edited] C:\WINDOWS\System32\KernelW32\Anti.exe
    O4 - HKLM\..\Run: [Config33.exe] Config33.exe
    O4 - HKLM\..\Run: [Microsoft Update Machine] xvshost.exe

    O4 - HKLM\..\Run: [Mcaffe Antivirus] Mcafeescn.exe

    O4 - HKLM\..\Run: [System] system32.exe

    O4 - HKLM\..\Run: [Syntax] windows32.exe
    don't know also virus?

    O4 - HKLM\..\RunServices: [Microsoft32.exe] Microsoft32.exe
    O4 - HKLM\..\RunServices: [Microsoft Update] automgr32.exe
    O4 - HKLM\..\RunServices: [Config33.exe] Config33.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Machine] xvshost.exe
    O4 - HKLM\..\RunServices: [Mcaffe Antivirus] Mcafeescn.exe

    O4 - HKLM\..\RunServices: [System] system32.exe
    O4 - HKLM\..\RunServices: [Syntax] windows32.exe

    O4 - HKCU\..\Run: [Microsoft Update Machine] xvshost.exe
    O4 - HKCU\..\Run: [System] system32.exe
    O4 - HKCU\..\Run: [Mcaffe Antivirus] Mcafeescn.exe

    O4 - HKCU\..\Run: [Microsoft Update] automgr32.exe
    O4 - HKCU\..\Run: [Syntax] windows32.exe

    O4 - Startup: No-IP DUC.lnk = F:\Program Files\No-IP\DUC20.exe

    O13 - DefaultPrefix: http://nkvd.us/1526/
    O13 - WWW Prefix: http://nkvd.us/1526/
    O13 - Home Prefix: http://nkvd.us/1526/
    O13 - Mosaic Prefix: http://nkvd.us/1526/

    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here


    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\WINDOWS\System32\85174196.exe
    C:\WINDOWS\System32\KernelW32\Anti.exe

    Then reboot and use AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Go here and get one of the free trials of an Anti Trojan and scan for Trojans.
    http://www.wilders.org/anti_trojans.htm

    Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.

    Good Luck !
     
Thread Status:
Not open for further replies.