Help!!!

Discussion in 'privacy problems' started by Squaar, Jun 20, 2003.

Thread Status:
Not open for further replies.
  1. Squaar

    Squaar Registered Member

    Joined:
    Jun 20, 2003
    Posts:
    8
    Last Saturday I DLd Kazaa an now when I search incorrectly i get hit with Xnredor (spelling?) an Slotch unsure on what to do but was reading post an it seems you can help DLd HJthis an this is my log

    Logfile of HijackThis v1.94.0
    Scan saved at 12:35:21 AM, on 6/20/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://super-websearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.attbi.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://search.xrenoder.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://srch-us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.searchv.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchv.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://srch-us4.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchv.com/search.php?qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://search.xrenoder.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=%SystemRoot%\system32\blank.htm
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\AutoStarterR.exe
    O4 - HKLM\..\Run: [spool lptt01] "C:\Program Files\spool\spool.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: MktBrowser (HKLM)
    O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir_nr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    THanks any help is good help

    Mike
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Squaar,

    Welcome at Wilders. :)

    First: download and run RapidBlaster Killer. Info and downloadlink can be found here: http://www.wilderssecurity.net/specialinfo/rapidblaster.html

    Then check the items listed below in HijackThis, then close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://super-websearch.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://search.xrenoder.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.searchv.com/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.searchv.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default)=http://www.searchv.com/search.php?qq=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=http://search.xrenoder.com
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
    O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
    O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
    O4 - HKLM\..\Run: [spool lptt01] "C:\Program Files\spool\spool.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - ht tp://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

    Reboot after doing so, preferably into safe mode and delete this folder:
    C:\Program Files\ISTsvc
    Make a new HijackThis log to check if everything is really gone. Especially the R1 entries tend to take a few tries to get completely rid off.

    You may want to download either AdAware 6 or Spybot S&D to clean out the remains.

    Regards,

    Pieter
     
  3. Squaar

    Squaar Registered Member

    Joined:
    Jun 20, 2003
    Posts:
    8
    Well all smiles an cheers now :D It worked almost perfectly with the exception of
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

    Wouldnt dissappear an after a few moments of checking my Processes I ended the Istvc.exe, ran HJthis an bingo gone an hopefully forever thanks for the help an advice

    Eternally grateful

    Mike
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    I love it when a plan comes together. :D

    Glad we could help,

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.