WORK PC, NEED HELP...

Discussion in 'adware, spyware & hijack cleaning' started by CdS, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    I ran both Spybot and Ad-aware. This is a work PC, and I have reason to believe that the former employee has messed up this PC on purpose (another one is infected w/ viruses). There's no major problems w/ this PC, I'd just like to make sure it's running fine and I KNOW Wilders always comes through w/ the help! Thanks in advance!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 10:22:32 AM, on 6/26/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    D:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
    C:\Program Files\Washer\washer.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=705406
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heafnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [Weather] D:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: TireMaster 4 Server.lnk = D:\sqlany50\win32\dbsrv50.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: WebConnect Pro 5.1.13 - http://emulator.bfentirenet.com:2080/WebConnectDU.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsearch/everyone_bw_pop1.cab
    O16 - DPF: {00B7E0AB-817A-44AD-A04B-D1148D524136} - http://www.iapshop.com/msxml/msxml4.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ovey.com/html/zoom/leadership/leadership.html
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - D:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37706.5654166667
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{533530E1-DB4B-4795-A865-C429FE25C7CF}: NameServer = 151.164.169.201,151.164.1.8
    O17 - HKLM\System\CS1\Services\Tcpip\..\{533530E1-DB4B-4795-A865-C429FE25C7CF}: NameServer = 151.164.169.201,151.164.1.8
    O17 - HKLM\System\CS2\Services\Tcpip\..\{533530E1-DB4B-4795-A865-C429FE25C7CF}: NameServer = 151.164.169.201,151.164.1.8
     
  2. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    bump.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi CdS,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=705406

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Then reboot and delete:
    C:\WINNT\nsdb <= entire folder
    D:\PROGRAM FILES\Toolbar <= entire folder

    Also read https://www.wilderssecurity.com/showthread.php?t=26670 for additional instructions.

    Regards,

    Pieter
     
  4. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    Pieter, thank you sooo much!!! This is the 2nd time you've saved me! Just like your quote says "It´s nice to be important, but it´s more important to be nice." You rawk!!!
     
Thread Status:
Not open for further replies.