nuke this crap(highjack log included)

Discussion in 'adware, spyware & hijack cleaning' started by emperor25569, Jun 19, 2004.

Thread Status:
Not open for further replies.
  1. emperor25569

    emperor25569 Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    im getting a datahelm popup that will not go away at all! it says its from my ISP and i need to click yes to continue I have to al f4 IE to close it... also Reg edit cannot be opened ...it closes down everytime i try to use it


    Ran AD-aware, before highjack this



    Logfile of HijackThis v1.97.7
    Scan saved at 1:11:08 AM, on 6/19/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\wuammgr32.exe
    C:\WINDOWS\soundman.exe
    C:\WINDOWS\System32\desktop.exe
    C:\windows\system32\mstask32.exe
    C:\WINDOWS\System32\ipconfigs.exe
    C:\WINDOWS\System32\ZONEALARM.EXE
    C:\WINDOWS\System32\wugrds.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\WINDOWS\System32\ipconfigs.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GXNNED1M\HijackThis[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
    O4 - HKLM\..\Run: [win updates] wugrds.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
    O4 - HKLM\..\Run: [Windows Task Scheduler] C:\windows\system32\mstask32.exe
    O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARM.EXE
    O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
    O4 - HKLM\..\RunServices: [win updates] wugrds.exe
    O4 - HKLM\..\RunServices: [Windows Task Scheduler] C:\windows\system32\mstask32.exe
    O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [win updates] wugrds.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARM.EXE
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {423E32C6-2EC6-11D3-A65D-005004055C6C} (NCSToolBar Class) - http://mapserver.lib.uconn.edu/ecwplugins/ncs.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38136.5809259259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. emperor25569

    emperor25569 Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    bumping this to top, can someone help?
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emperor25569,

    I think what you need is an AntiVirus.


    Before you start please unzip hijackthis.exe to a folder of it´s own. The program creates backups in the folder it is in. In a Temp folder they easily disappear.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Microsoft Update] wuammgr32.exe
    O4 - HKLM\..\Run: [win updates] wugrds.exe

    O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
    O4 - HKLM\..\Run: [Windows Task Scheduler] C:\windows\system32\mstask32.exe
    O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\Run: [Winsock2 driver] ZONEALARM.EXE
    O4 - HKLM\..\RunServices: [Microsoft Update] wuammgr32.exe
    O4 - HKLM\..\RunServices: [win updates] wugrds.exe
    O4 - HKLM\..\RunServices: [Windows Task Scheduler] C:\windows\system32\mstask32.exe
    O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe

    O4 - HKCU\..\Run: [win updates] wugrds.exe
    O4 - HKCU\..\Run: [Microsoft Update] wuammgr32.exe

    O4 - HKCU\..\RunOnce: [Winsock2 driver] ZONEALARM.EXE

    Then reboot and do an online scan. You will find several listed here: http://www.wilders.org/free_services_m.htm

    Keep us posted on your progress.

    Regards,

    Pieter
     
  4. emperor25569

    emperor25569 Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    Ok did as i was told to, also got a anti virus and a firewall, ran anti virus
    Regedt is now able to be opened again

    Anti Virus found a bridge.dll that it could not delete so i went into regedt (thanks!, you got it back for me!) and killed it

    here is the latest hackthis file


    Logfile of HijackThis v1.97.7
    Scan saved at 5:48:32 AM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\soundman.exe
    C:\windows\system32\mstask32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ipconfigs.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ipconfigs.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Owner\Desktop\hackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
    O4 - HKLM\..\Run: [Windows Task Scheduler] C:\windows\system32\mstask32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\RunServices: [Windows Task Scheduler] C:\windows\system32\mstask32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)

    thank you very much for the help
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emperor25569,

    Nice progress, but not ready yet.


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [desktop] C:\WINDOWS\System32\desktop.exe
    O4 - HKLM\..\Run: [Windows Task Scheduler] C:\windows\system32\mstask32.exe

    O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\RunServices: [Windows Task Scheduler] C:\windows\system32\mstask32.exe

    Then reboot into safe mode and delete:
    C:\windows\system32\mstask32.exe
    C:\WINDOWS\System32\ipconfigs.exe

    Regards,

    Pieter
     
  6. emperor25569

    emperor25569 Registered Member

    Joined:
    Jun 19, 2004
    Posts:
    4
    bridge.dll is re appered even after i deleted it

    did as I was told in your last post, here is the latest hackthis file

    Logfile of HijackThis v1.97.7
    Scan saved at 8:45:28 PM, on 6/20/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\soundman.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Owner\Desktop\hackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)

    thanks for your help
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emperor25569,

    Not sure what you mean by that remark about bridge.dll
    Can you clarify?

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
    O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe

    The file is no longer running, so that should be final this time.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.