HELP wtih log file

Discussion in 'adware, spyware & hijack cleaning' started by sergio 007, Feb 5, 2004.

Thread Status:
Not open for further replies.
  1. sergio 007

    sergio 007 Guest

    Some one can help me with my logfile i don't know which files i have to fix. This is my logfile:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:25:26 PM, on 2/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Iomega HotBurn\Autolaunch.exe
    C:\WINDOWS\comctl_32.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\Common Files\eAcceleration\systimer.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MemoryMeter\MemoryMeter.exe
    C:\WINDOWS\TVMD.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\GMSoft\Dialers\VideoGirls_nl\VideoGirls_nl.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system32\mscnt.exe
    C:\WINDOWS\System32\WUAUMQR.EXE
    C:\WINDOWS\SYSTEM32\lptask.exe
    C:\windows\system32\win32info.exe
    C:\program files\primesoft\safesearch\safesearch.exe
    C:\windows\system32\nscntrl.exe
    C:\WINDOWS\ljmlok.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\WINDOWS\System32\SahAgent.exe
    C:\windows\msbb.exe
    C:\WINDOWS\System32\hit.exe
    C:\Program Files\NoAds\NoAds.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\PROGRA~1\CLOCKS~1\Sync.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\DAP\DAP.EXE
    C:\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bestchild.awmhost.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supret.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.martfinder.com/reindex.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129226
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestchild.awmhost.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://bestchild.awmhost.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestchild.awmhost.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enhancedSearch.com/sidesearch.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enhancedSearch.com/search.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.enhancedSearch.com/search.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enhancedSearch.com/search.asp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://coolwebsearch.info
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.martfinder.com/reindex.html
    R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
    F1 - win.ini: run=c:\windows\system32\main16.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} -   ¦ (file missing)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} -   ¦ (file missing)
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} -   ¦ (file missing)
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} -   ¦ (file missing)
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} -   ¦ (file missing)
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} -   ¦ (file missing)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} -   ¦ (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -   ¦ (file missing)
    O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} -   ¦C:\Program Files\Common Files\OE\toolbar.dll (file missing)
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} -   ¦C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -   ¦c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: (no name) - {C77E900A-FF55-400E-9BAA-E042C8212898} -   ¦C:\Program Files\Simpelinternet\Easybar\ToolbarStarter.dll (file missing)
    O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} -   ¦C:\Program Files\Common Files\OE\redirector.dll (file missing)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} -   ¦C:\WINDOWS\nem214.dll (file missing)
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} -   ¦C:\Program Files\Common Files\OE\toolbar.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
    O4 - HKLM\..\Run: [comctl32] C:\WINDOWS\comctl_32.exe
    O4 - HKLM\..\Run: [Real-Tens] "C:\Program Files\Real-Tens\Real-Tens.exe" /H
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
    O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
    O4 - HKLM\..\Run: [BFILOSV] C:\WINDOWS\BFILOSV.exe
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
    O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [VideoGirls_nl] C:\Program Files\GMSoft\Dialers\VideoGirls_nl\VideoGirls_nl.exe /dontdial
    O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [LPtask] C:\WINDOWS\SYSTEM32\lptask.exe
    O4 - HKLM\..\Run: [win32info] c:\windows\system32\win32info.exe /noconnect
    O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe /install
    O4 - HKLM\..\Run: [nscntrl] c:\windows\system32\nscntrl.exe /noconnect
    O4 - HKLM\..\Run: [Internet Optimizer] "c:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [vsseucrl] C:\WINDOWS\ljmlok.exe
    O4 - HKLM\..\Run: [Main16] c:\windows\system32\main16.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [sprivsm] C:\WINDOWS\System32\sprivsm.exe
    O4 - HKLM\..\Run: [lntsesst] C:\WINDOWS\System32\lntsesst.exe
    O4 - HKLM\..\Run: [msbb] C:\windows\msbb.exe
    O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\hit.exe
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\chost00000\11716817.exe -remove
    O4 - HKCU\..\Run: [Main16] c:\windows\system32\main16.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Descargas (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.andlotsmore.com/factory/058343nl.exe
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - http://directplugin.com/tl4000.dll
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
    O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://cdn.climaxbucks.com/mt/dialers/fc/UniDistIO.CAB
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5

    THANK YOU!
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sergio 007,

    I hope you are not on dial-up :eek:

    First download and run RapidBlaster Killer:
    http://www.wilderssecurity.net/specialinfo/rapidblaster.html

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://bestchild.awmhost.net/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supret.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.martfinder.com/reindex.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129226
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bestchild.awmhost.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://bestchild.awmhost.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bestchild.awmhost.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enhancedSearch.com/sidesearch.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enhancedSearch.com/search.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.enhancedSearch.com/search.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enhancedSearch.com/search.asp

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file:///C:/Program%20Files/MS-Connect/Portal/portal.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://coolwebsearch.info
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.martfinder.com/reindex.html
    R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
    F1 - win.ini: run=c:\windows\system32\main16.exe
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - ¦ (file missing)
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - ¦ (file missing)
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - ¦ (file missing)
    O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - ¦ (file missing)
    O2 - BHO: (no name) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - ¦ (file missing)
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - ¦ (file missing)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - ¦ (file missing)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - ¦ (file missing)
    O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - ¦C:\Program Files\Common Files\OE\toolbar.dll (file missing)
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - ¦C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - ¦c:\program files\google\googletoolbar1.dll (file missing)
    O2 - BHO: (no name) - {C77E900A-FF55-400E-9BAA-E042C8212898} - ¦C:\Program Files\Simpelinternet\Easybar\ToolbarStarter.dll (file missing)
    O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - ¦C:\Program Files\Common Files\OE\redirector.dll (file missing)
    O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - ¦C:\WINDOWS\nem214.dll (file missing)
    O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)

    O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - ¦C:\Program Files\Common Files\OE\toolbar.dll (file missing)

    O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k

    O4 - HKLM\..\Run: [comctl32] C:\WINDOWS\comctl_32.exe
    O4 - HKLM\..\Run: [Real-Tens] "C:\Program Files\Real-Tens\Real-Tens.exe" /H

    O4 - HKLM\..\Run: [rb32 lptt01] "C:\Program Files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\MemoryMeter\MemoryMeter.exe
    O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
    O4 - HKLM\..\Run: [BFILOSV] C:\WINDOWS\BFILOSV.exe
    O4 - HKLM\..\Run: [RDLL] RunDll16.exe

    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
    O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

    O4 - HKLM\..\Run: [VideoGirls_nl] C:\Program Files\GMSoft\Dialers\VideoGirls_nl\VideoGirls_nl.exe /dontdial
    O4 - HKLM\..\Run: [Mscnt] c:\windows\system32\mscnt.exe /noconnect
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [LPtask] C:\WINDOWS\SYSTEM32\lptask.exe
    O4 - HKLM\..\Run: [win32info] c:\windows\system32\win32info.exe /noconnect
    O4 - HKLM\..\Run: [SafeSearch] c:\program files\primesoft\safesearch\safesearch.exe /install
    O4 - HKLM\..\Run: [nscntrl] c:\windows\system32\nscntrl.exe /noconnect
    O4 - HKLM\..\Run: [Internet Optimizer] "c:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [vsseucrl] C:\WINDOWS\ljmlok.exe
    O4 - HKLM\..\Run: [Main16] c:\windows\system32\main16.exe
    O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKLM\..\Run: [sprivsm] C:\WINDOWS\System32\sprivsm.exe
    O4 - HKLM\..\Run: [lntsesst] C:\WINDOWS\System32\lntsesst.exe
    O4 - HKLM\..\Run: [msbb] C:\windows\msbb.exe
    O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\hit.exe
    O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe

    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\chost00000\11716817.exe -remove
    O4 - HKCU\..\Run: [Main16] c:\windows\system32\main16.exe

    O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.andlotsmore.com/factory/058343nl.exe
    O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - http://directplugin.com/tl4000.dll
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_pack_XP.cab

    O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://cdn.climaxbucks.com/mt/dialers/fc/UniDistIO.CAB
    O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
    O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/crack.CAB

    Then reboot into safe mode
    and delete:
    C:\Program Files\MyWay <= entire folder
    C:\Program Files\Common Files\eAcceleration <= entire folder
    C:\WINDOWS\comctl_32.exe
    C:\Program Files\Real-Tens <= entire folder
    C:\Program Files\ISTsvc <= entire folder
    C:\Program Files\MemoryMeter <= entire folder
    C:\WINDOWS\TVMD.exe
    RunDll16.exe
    C:\Program Files\Orbit <= entire folder
    C:\Program Files\GMSoft <= entire folder
    c:\windows\system32\mscnt.exe
    WUAUMQR.EXE
    c:\windows\system32\win32info.exe
    c:\program files\primesoft\safesearch <= entire folder
    c:\windows\system32\nscntrl.exe
    c:\Program Files\Internet Optimizer <= entire folder
    C:\WINDOWS\ljmlok.exe
    C:\WINDOWS\Belt.exe
    C:\Program Files\ClearSearch <= entire folder
    C:\WINDOWS\System32\SahAgent.exe
    C:\windows\msbb.exe
    C:\WINDOWS\System32\hit.exe
    c:\program files\CLOCKSync <= entire folder
    c:\program files\GlobalDialer <= entire folder

    And could you please zip up these files and mail them to the address in my profile:
    c:\windows\system32\main16.exe
    C:\WINDOWS\SYSTEM32\lptask.exe
    C:\WINDOWS\System32\sprivsm.exe
    C:\WINDOWS\System32\lntsesst.exe

    Then download Spybot - Search & Destroy
    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all IE windows, hit 'Check for Problems', and have SpyBot remove all it marks in red.

    Or, download Ad-Aware at lavasoft.usa.com
    After installing AAW, and before running the program, update by using the Globe icon.
    Shut down and restart Ad-Aware.
    Now press "Scan Now", "Select drives\folders to scan" and select the active partition (usually C: ), then 'next', and let Ad-Aware scan your drives.
    It will find a number of "bad" files and registry keys. Click 'Next' again.
    Rightclick in that pane and choose "select all" and click 'next'.
    It will ask you whether you'd like to remove all checked items. Click OK.
    Finally, close Ad-Aware, and reboot.

    Also do an online virusscan, you will find several listed here: http://www.wilders.org/free_services.htm

    Then post a new log, please.

    Regards,

    Pieter
     
  3. sergio 0077

    sergio 0077 Guest

    Hi,
    Can not run rbkiller.exe i get the next error: Component'mscomctl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.

    I'm bussy scan my pc now so if i done i will mail my log.

    I could not delete:\windows\system32\hit.exe

    About the files you asked me i already mailed you.

    i will send the new logfile if the scan is done!

    Thanks
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Download and run: http://www.javacoolsoftware.com/missingfilesetup.exe

    to get RapidBlaster killer going.

    Regards,

    Pieter
     
  5. sergio 077

    sergio 077 Guest

    Hi Pieter,

    This is my file log now:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:54:30 PM, on 2/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega HotBurn\Autolaunch.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\WUAUMQR.EXE
    C:\WINDOWS\System32\hit.exe
    C:\Program Files\NoAds\NoAds.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\DAP\DAP.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
    O4 - HKLM\..\Run: [comctl32] C:\WINDOWS\comctl_32.exe
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\hit.exe
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Descargas (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5


    thanks
    sergio
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sergio,

    That looks much better. Let's get rid of that stubborn Dutch dialer.

    Use TaskManager to endtask hit.exe
    Then delete:
    C:\WINDOWS\System32\hit.exe
    C:\Program Files\Startportal <= entire folder

    Then have HijackThis Fix:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Program%20Files/Startportal/Portal/portal.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = file:///C:/Program%20Files/Startportal/Portal/portal.html

    R3 - URLSearchHook: (no name) - _{341FB59F-3507-443b-8147-423B4E3B2B15} - (no file)
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000001} - C:\WINDOWS\System32\SafeSearch.dll

    O4 - HKLM\..\Run: [comctl32] C:\WINDOWS\comctl_32.exe

    O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.EXE

    O4 - HKLM\..\Run: [Diskstart] C:\WINDOWS\System32\hit.exe

    O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.EXE

    Then reboot again and post a new log please.

    Regards,

    Pieter
     
  7. sergio070

    sergio070 Guest

    Hi pieter,

    If i use alt/contr/del to open my taskmanager it starts up and in 2 seconds it is gone. And i cant open it in C:windows/taskman.exe.
    What to do now?
    thanks!
    sergio
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sergio,

    - Boot into safe mode.

    - Run HijackThis and fix the items I listed

    - Delete the items I listed + C:\WINDOWS\System32\WUAUMQR.EXE

    Then boot normally, reinstall Avast, update it and run a full system scan.
    It is the Spybot worm that is stopping TaskManager (and regedit).

    Regards,

    Pieter
     
  9. sergio77

    sergio77 Guest

    Hi Pieter,
    I have scan my disks with avast now.

    My new logfile is:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:05:13 PM, on 2/6/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega HotBurn\Autolaunch.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\NoAds\NoAds.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Hot_Pleasureupdate.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=2869
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=2869
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dwt.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Hot_Pleasure] c:\program files\dialers\hot_pleasure\hot_pleasure.exe /noconnect
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKLM\..\RunOnce: [tlc] C:\WINDOWS\update12.js
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Descargas (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5


    what to do furter now?

    thanks

    sergio
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    At least you seem to be rid of the Spybot.worm, but you have been infected with a dialer and another variant of CWS.

    Download and run: http://www.merijn.org/files/CWShredder.exe

    Then have Hijackthis fix:
    O4 - HKLM\..\Run: [Hot_Pleasure] c:\program files\dialers\hot_pleasure\hot_pleasure.exe /noconnect

    Reboot and delete:
    c:\program files\dialers <= entire folder

    Then install all Windows updates available.

    Then post a new log.

    Regards,

    Pieter
     
  11. sergi 007

    sergi 007 Guest

    hi pieter,
    I updated windows, but can not install the sp1, because my registration code is not good.

    Here is my new logfile:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:17:56 PM, on 2/6/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashserv.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Iomega HotBurn\Autolaunch.exe
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\Program Files\NoAds\NoAds.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\hijack this\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=2869
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=2869
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dwt.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

    what's nexto_O

    thanks
    Sergio
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Descargas (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://www.p3.postbank.nl/GTO/PBGNX.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS2\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
    O17 - HKLM\System\CS3\Services\Tcpip\..\{0EA30D00-2D2B-4931-AFAC-8F0D1BC2FA1A}: NameServer = 194.134.5.55,194.134.5.5
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi sergi 007,

    There are some more preventive measures you can take:
    http://boards.cexx.org/viewtopic.php?t=957.

    But I would consider using another browser if you can't patch up IE.
    Opera: http://www.opera.com/
    Mozilla Firebird: http://www.mozilla.org/

    Use HijackThis to get rid of these:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchcentral.cc/search.php?v=4&aff=2869
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchcentral.cc/index.php?v=4&aff=2869

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

    And stay out of the danger zone. ;)

    Regards,

    Pieter
     
  13. sergio0700

    sergio0700 Guest

    hi Pieter,

    Thank you very much for your Help!
    I will stay out of the danger zone! ;)

    Thanks again!

    Sergio!
     
Thread Status:
Not open for further replies.