Please, help me

Discussion in 'adware, spyware & hijack cleaning' started by sandrinemail_2000, May 16, 2004.

Thread Status:
Not open for further replies.
  1. sandrinemail_2000

    sandrinemail_2000 Registered Member

    Joined:
    May 16, 2004
    Posts:
    1
    I have a problem with Ipend: everytime I cancel it from regedit, it reappears. How can I cancel it ?
    I send you the log file made by hijackthis on my computer: which string do I need to cancel?

    Thank in advance for your help
     

    Attached Files:

  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    here is the log for better viewing:
    Logfile of HijackThis v1.97.7
    Scan saved at 23.49.40, on 16/05/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Programmi\File comuni\Symantec Shared\ccProxy.exe
    C:\Programmi\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Programmi\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Programmi\MSN Messenger\MsnMsgr.Exe
    C:\Programmi\WinZip\WZQKPICK.EXE
    C:\Programmi\OpenOffice.org1.0.1\program\soffice.exe
    C:\Programmi\Messenger\msmsgs.exe
    C:\Programmi\Internet Explorer\iexplore.exe
    C:\Programmi\File comuni\Symantec Shared\NMain.exe
    C:\PROGRA~1\NORTON~2\NORTON~1\navw32.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\test qualità\Impostazioni locali\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?si-001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=78615
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?si-001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?si-001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.olidata.it
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Programmi\Outlook Express\msimn.exe"
    O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\WINDOWS\System32\mskceo.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\System32\msdaim.dll (file missing)
    O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\System32\mskpkc.dll
    O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - C:\WINDOWS\System32\msibkd.dll
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - C:\WINDOWS\System32\msjfbl.dll
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {CC916B4B-BE44-4026-A19D-8C74BBD23361} - C:\WINDOWS\System32\msedah.dll
    O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\System32\msnkmi.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmi\Norton Internet Security\UrlLstCk.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programmi\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
    O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\test qualità\Impostazioni locali\Temp\ms8.tmp"
    O4 - Startup: OpenOffice.org 1.0.1.lnk = C:\Programmi\OpenOffice.org1.0.1\program\quickstart.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programmi\WinZip\WZQKPICK.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.olidata.it
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://fr.encyclopedia.yahoo.com/rsc/tdserver.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14472c5b58b9b4840a05/netzip/RdxIE601_it.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37905.6086574074
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D5AE4F4A-AB7E-407A-8DA1-72E5C3308481}: NameServer = 217.141.110.203 151.99.125.1
     
  3. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi

    first, you are running hijackthis from a temporary folder. that is not recommended, so unzip hijackthis to a folder of its own, like c:\hijackthis for example and run it from there

    download cwshredder from http://www.merijn.org/files/cwshredder.zip

    unzip it and then
    run it> click on FIX

    next

    1. Download and install Adaware (free edition) . (Click on "Adaware" in the left-hand column near the top at their website to download the free edition.)

    2. Go to Start > Programs > Lavasoft and click on AdAware 6 to open the program

    3. Look at the icons on the top right of the page and click on the ‘world’ and let AdAware update the spyware reference list

    4. Once the update is finished click on the ‘Gear’ icon (second from the left) to access the preferences/settings window

    1. In the ‘General’ window make sure the following are selected:
    · Automatically save log-file
    · Automatically quarantine objects prior to removal
    · Safe Mode (always request confirmation)

    2. Click on the ‘Scanning’ button on the left and select :
    · Scan Within Archives
    · Scan Active Processes
    · Scan Registry
    · Deep Scan Registry
    · Scan my IE favorites for banned URL’s
    · Scan my Hosts file
    · Under ‘Click here to select drives + folders’, choose:
    · All of your hard drives

    3. Click on the ‘Advanced’ button on the left and select:
    · Include additional process information
    · Include additional file information
    · Include environment information
    · Include additional object details

    4. Click the ‘Tweak’ button and select:
    · Under the ‘Scanning Engine’:
    · Unload recognized processes during scanning
    · Include basic Ad-aware settings in logfile
    · Include additional Ad-aware settings in logfile
    · Under the ‘Cleaning Engine’:
    · Let Windows remove files in use at next reboot

    5. Click on ‘Proceed’ to save the settings.

    6. Click ‘Start’ and on the next screen choose ‘Activate in-depth Scan’ at the bottom of the page and then choose:
    · Use Custom Scanning Options

    7. Click ‘Next’ and AdAware will scan your hard drive(s) with the options you have selected.

    8. Save the log file when it asks and then click ‘finish’

    9. REBOOT
    ----------------------------------------------------------
    SPYBOT SEARCH & DESTROY

    1. Next, download and install Spybot Search and Destroy .

    2. Go to Start > Programs >Spybot - Search & Destroy and choose ‘Spybot S&D - easy mode’

    3. Close ALL windows except Spybot S&D

    4. Click the button to ‘Search for Updates’ and download and install the Updates.

    5. Next click the button ‘Check for Problems’

    6. When Spybot is complete, it will be showing ‘RED’ entries ‘BLACK’ entries and ‘GREEN’ entries in the window

    7. Put a check mark beside the RED entries ONLY.

    8. Choose ‘Fix Selected Problems’ and allow Spybot to fix the RED entries.

    9. REBOOT

    then post a fresh hijackthis log
     
Thread Status:
Not open for further replies.