Results 1 to 10 of 10

Thread: Strucked By Spyware From Hell! Hijackthis Log...

  1. #1
    Joakim Agren's Avatar Superman loves P2P
    Join Date
    Oct 2003
    Location
    Sweden
    Age
    44
    Posts
    396
    Hello!

    In the past I have always been able to get ridd of Spyware by using updated Ad Aware 6 and Spybot Search & Destroy. But now I have tried to use Spy Sweeper aswell and still I got this serious problem in IE after deleting tons of spyware. The problems I have is that whenever I try to click a link on a web page or use the back/forward buttons in IE it takes forever before IE reacts and initiate the search and download. I also noticed at a couple occations that when I tried to download application files before I got the save dialog I got a dialog prompting me to install something called a ICOO Loader. Then the problem has just gotten worse and now after only a minute or so after I have opened IE and click a link instead of getting where it should I get throwed into a massive bombing of porn pop ups and sites and it installs lots of spyware and attempts to install Trojans aswell but NAV 2004 Pro deletes them automatically aswell So once again I need to get rid of the spyware for instance by using Spy Sweeper. The last time this happened I quickly opened HiJackThis and saved the log. Maybe you pros can help in in figuring out what the hell I need to do to get IE functioning again(I am currently using Opera). here is that Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 02:22:59, on 2004-06-18
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\Ahead\InCD\InCD.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\ScreenPrint32 v3\ScreenPrint32.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\Program\QuickTime\qttask.exe
    C:\Program\DU Meter\DUMeter.exe
    C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\System32\vzxwzdch.exe
    C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program\SETI@home\[email protected]
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
    C:\WINDOWS\system32\scagent.exe
    C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe
    C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sv8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sv8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.86.126.226:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bostream.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://sv8.hpwis.com/
    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DFF7-EC7DA787AD2D} - C:\Program\PowerSearch\Toolbar\pwrsqsim.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [ShowShifter TVTV EPG Daemon] "C:\Program\Home Media Networks Limited\ShowShifter\TVTVD.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ScreenPrint32] C:\Program\ScreenPrint32 v3\ScreenPrint32.exe -startup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [xqd] C:\WINDOWS\xqd.exe
    O4 - HKLM\..\Run: [swjnvjmmmdru] C:\WINDOWS\System32\vzxwzdch.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\[email protected] -min
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: PartMetBackup.lnk = C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares...egular.cab
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://cl55.biz/tracker/eu_cax.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar...vSniff.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/272982e5ddd6df8a80...xIE601.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/sv/big/1...gleNav.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003...scan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplat...curity.cab
    O16 - DPF: {94F5DCB7-816C-4B94-A2C1-856C6E323C5B} - http://akamai.downloadv3.com/binaries/L..._EN_XP.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...8073032407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3


    So Guys what should I do?


    Sincerely Joakim Agren!

  2. Software & Hardware   -   #2
    Poster
    Join Date
    Mar 2003
    Posts
    365
    The first thing I would do is go to add/remove programs and uninstall Twain-Tech if it is listed. If it's not listed then follow the removal instructions at pestpatrol.

    Adjust your settings for adaware and run it again after that.
    Check for updates. Click the gear at the top and change these settings:
    general> activate:automatically save log file,automatically quarantine objects prior to removal

    scanning> activate:scan within archives, scan active processes, scan registry, deep scan registry,
    scan my IE Favorites for banned sites and scan my hosts file


    tweaks>scanning engine>activate:unload recognized processes during scanning.

    tweaks>cleaning engine>activate:automatically try to unregister objects prior to deletion and let windows remove
    files in use after reboot


    click proceed to save your settings.

    Now run it, make sure "activate in-depth scan " is checked. Fix anything it finds.

    When you finish that post a new log.

  3. Software & Hardware   -   #3
    Poster
    Join Date
    Mar 2003
    Posts
    365
    Run an online virus scan at tred micro.
    See if Powersearch is listed in add/remove programs and uninstall.

    Some of these may be fixed by running the virus scan and adaware again, but these need to be fixed.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    If you are not running this proxy then fix:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 218.86.126.226:80
    fix:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bostream.com/

    R3 - Default URLSearchHook is missing
    O1 - Hosts file is located at: C:\WINDOWS\nsdb\hosts
    O1 - Hosts: 81.211.105.69 lender-search.com
    O1 - Hosts: 81.211.105.68 hot-searches.com
    O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

    O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\msopt.dll

    O2 - BHO: sr - {FC2593E3-3E5A-410F-AF3D-82613CCE58E5} - c:\windows\sr.dll

    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-DFF7-EC7DA787AD2D} - C:\Program\PowerSearch\Toolbar\pwrsqsim.dll (file missing)

    O4 - HKLM\..\Run: [xqd] C:\WINDOWS\xqd.exe
    O4 - HKLM\..\Run: [swjnvjmmmdru] C:\WINDOWS\System32\vzxwzdch.exe

    I would fix with hijackthis all 016 entries. Any that you really need will be downloaded again when you need them.

    O17 - HKLM\System\CCS\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3,194.236.29.2,194.236.29.3,212.181.52.2,212.181.52.3

    Go to these locations and delete in bold
    C:\WINDOWS\nsdb\hosts
    C:\WINDOWS\mxTarget.dl
    C:\WINDOWS\msopt.dll
    c:\windows\sr.dll
    C:\Program\PowerSearch\Toolbar\pwrsqsim.dll ( if you did not remove with add/remove programs)
    C:\WINDOWS\xqd.exe
    C:\WINDOWS\System32\vzxwzdch.exe

    Reset your IE settings. In IE select tools>internet options>programs
    near the bottom, click "reset web settings"

    Restart and post a new hjt log.

  4. Software & Hardware   -   #4
    blank BT Rep: +1
    Join Date
    Oct 2003
    Posts
    1,045
    @ Jg427 can i just say that this is one of the best replies i have ever seen. Easy to follow, not arrogant and very helpful.
    Shut that cunt’s mouth or I’ll come over there and fuckstart her head.

  5. Software & Hardware   -   #5
    Joakim Agren's Avatar Superman loves P2P
    Join Date
    Oct 2003
    Location
    Sweden
    Age
    44
    Posts
    396
    Hello!

    Thank you very much for your reply!

    I have now done as you said and here is the resulting Log:

    Logfile of HijackThis v1.97.7
    Scan saved at 04:16:03, on 2004-06-19
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program\Delade filer\Real\Update_OB\realsched.exe
    C:\Program\Ahead\InCD\InCD.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\ScreenPrint32 v3\ScreenPrint32.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\Program\DU Meter\DUMeter.exe
    C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\vzxwzdch.exe
    C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program\SETI@home\[email protected]
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program\Ahead\InCD\InCDsrv.exe
    C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
    C:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\scagent.exe
    C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [ShowShifter TVTV EPG Daemon] "C:\Program\Home Media Networks Limited\ShowShifter\TVTVD.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ScreenPrint32] C:\Program\ScreenPrint32 v3\ScreenPrint32.exe -startup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\[email protected] -min
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Startup: PartMetBackup.lnk = C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/sv/big/1.1....g/GoogleNav.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7911.8073032407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

    Does it look good?

    Or is it more trouble to be fixed?

    I am currently posting this post from IE and it atleast seems as fast as before. So maybe I finally fixed it. Lets hope that it last and dont come back at next reboot!.


    Sincerely Joakim Agren!

  6. Software & Hardware   -   #6
    Poster
    Join Date
    Mar 2003
    Posts
    365
    One thing still appears to be running, but I don't see a run key that starts it.

    vzxwzdch.exe needs to be deleted, but it must stop running first. Open task manager and see if it's listed as a running process and stop it, then delete. If it's not listed, reboot into safemode and see if you can delete it there.

    C:\WINDOWS\System32\vzxwzdch.exe

    After that's gone, empty all temp. files and disable system restore to remove all restore points, then enable system restore.

  7. Software & Hardware   -   #7
    Joakim Agren's Avatar Superman loves P2P
    Join Date
    Oct 2003
    Location
    Sweden
    Age
    44
    Posts
    396
    Originally posted by Jg427@19 June 2004 - 05:30
    One thing still appears to be running, but I don't see a run key that starts it.

    vzxwzdch.exe needs to be deleted, but it must stop running first. Open task manager and see if it's listed as a running process and stop it, then delete. If it's not listed, reboot into safemode and see if you can delete it there.

    C:\WINDOWS\System32\vzxwzdch.exe

    After that's gone, empty all temp. files and disable system restore to remove all restore points, then enable system restore.
    Hello!

    I was able to delte that process in safe mode!. Today the processes listed in HiJackThis seems good and none of the bad ones are there. So lets hope it will last and not come back!. IE is working fine also!

    Thank you for your much helpful help!

    Here is the latest log:

    Logfile of HijackThis v1.97.7
    Scan saved at 18:00:22, on 2004-06-19
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\system32\ps2.exe
    C:\Program\Ahead\InCD\InCD.exe
    C:\Program\Delade filer\Symantec Shared\ccApp.exe
    C:\Program\ScreenPrint32 v3\ScreenPrint32.exe
    C:\Program\iTunes\iTunesHelper.exe
    C:\Program\DU Meter\DUMeter.exe
    C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program\SETI@home\[email protected]
    C:\Program\Messenger\msmsgs.exe
    C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program\Ahead\InCD\InCDsrv.exe
    C:\Program\Norton AntiVirus\navapsvc.exe
    C:\Program\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\scagent.exe
    C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program\iPod\bin\iPodService.exe
    C:\Program\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Ägare\Skrivbord\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bostream.se
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\Downloaded Program Files\googlenav.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program\Delade filer\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [ShowShifter TVTV EPG Daemon] "C:\Program\Home Media Networks Limited\ShowShifter\TVTVD.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\Program\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ScreenPrint32] C:\Program\ScreenPrint32 v3\ScreenPrint32.exe -startup
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [DU Meter] C:\Program\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program\Delade filer\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKCU\..\Run: [seticlient] C:\Program\SETI@home\[email protected] -min
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
    O4 - Startup: PartMetBackup.lnk = C:\Program\Java\j2re1.4.2_04\bin\javaw.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\Downloaded Program Files\googlenav.dll/cmsimilar.html
    O9 - Extra 'Tools' menuitem: Sun Java-konsol (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/sv/big/1.1....g/GoogleNav.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7911.8073032407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3
    O17 - HKLM\System\CS2\Services\Tcpip\..\{96587776-F08D-4323-9220-42D6881CE39E}: NameServer = 212.181.54.2,212.181.54.3


    Sincerely Joakim Agren!

  8. Software & Hardware   -   #8
    lynx's Avatar .
    Join Date
    Sep 2002
    Location
    Yorkshire, England
    Posts
    9,759
    Check your IE security settings, my bet is that one of these progs will have modified it to LOW. This makes the chances or reinfection much more likely, since ActiveX controls no longer have to ask for permission to install/run.
    .
    Political correctness is based on the principle that it's possible to pick up a turd by the clean end.

  9. Software & Hardware   -   #9
    Poster
    Join Date
    Jun 2003
    Posts
    126
    as additional protection download spywareblaster.

    it has a database of bad activex programs, and doesn't have to run to be effective. just check occasionally for updates.

    Code:
    http://www.javacoolsoftware.com/spywareblaster.html

  10. Software & Hardware   -   #10
    Poster
    Join Date
    Mar 2003
    Posts
    365
    That last log looks clean to me.

    Some suggestions for increasing your browser security

    Check for and install windows security updates
    Check your active x settings, as lynx said. You can test your settings at Jason's security test.
    Spybot has an immunize feature that will block some bad sites, enable it.
    Switch from IE to Firefox ( sorry, I couldn't resist adding that)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •