WORK PC, NEED HELP...

Discussion in 'adware, spyware & hijack cleaning' started by CdS, Jun 26, 2004.

Thread Status:
Not open for further replies.
  1. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    I ran both Spybot and Ad-aware. This is a work PC, and I have reason to believe that the former employee has messed up this PC on purpose (another one is infected w/ viruses). There's no major problems w/ this PC, I'd just like to make sure it's running fine and I KNOW Wilders always comes through w/ the help! Thanks in advance!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 10:22:32 AM, on 6/26/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    D:\Program Files\Symantec\pcAnywhere\awhost32.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
    C:\Program Files\Washer\washer.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=705406
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.heafnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [CreateCD] D:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [Weather] D:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O4 - Global Startup: TireMaster 4 Server.lnk = D:\sqlany50\win32\dbsrv50.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: WebConnect Pro 5.1.13 - http://emulator.bfentirenet.com:2080/WebConnectDU.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://mx253.sb03.com/apps/softsearch/everyone_bw_pop1.cab
    O16 - DPF: {00B7E0AB-817A-44AD-A04B-D1148D524136} - http://www.iapshop.com/msxml/msxml4.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ovey.com/html/zoom/leadership/leadership.html
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - D:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37706.5654166667
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{533530E1-DB4B-4795-A865-C429FE25C7CF}: NameServer = 151.164.169.201,151.164.1.8
    O17 - HKLM\System\CS1\Services\Tcpip\..\{533530E1-DB4B-4795-A865-C429FE25C7CF}: NameServer = 151.164.169.201,151.164.1.8
    O17 - HKLM\System\CS2\Services\Tcpip\..\{533530E1-DB4B-4795-A865-C429FE25C7CF}: NameServer = 151.164.169.201,151.164.1.8
     
  2. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    bump.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi CdS,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches.com/index.php?v=6&aff=705406

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll

    Download and run: CWShredder
    Use the Fix button and follow the instructions you will receive.

    Then reboot and delete:
    C:\WINNT\nsdb <= entire folder
    D:\PROGRAM FILES\Toolbar <= entire folder

    Also read https://www.wilderssecurity.com/showthread.php?t=26670 for additional instructions.

    Regards,

    Pieter
     
  4. CdS

    CdS Registered Member

    Joined:
    Jun 5, 2004
    Posts:
    8
    Pieter, thank you sooo much!!! This is the 2nd time you've saved me! Just like your quote says "It´s nice to be important, but it´s more important to be nice." You rawk!!!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.