Options

Ads234 Problem!

Unknown
edited December 2004 in Spyware & Virus Removal
I need help. I cant even go on the internet with out ads234 poping up. Heres the stuff... What do i do?
Logfile of HijackThis v1.98.2
Scan saved at 10:49:41 PM, on 12/21/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\documents and settings\jon\local settings\temp\geTdA4.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\documents and settings\jon\local settings\temp\tz.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\lotus\smartctr\suitest.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prklic.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prklic.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prklic.t.rack.cc/sp.php (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prklic.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://prklic.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prklic.t.rack.cc/sp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prklic.t.rack.cc/sp.php (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = C:\WINDOWS\system32\securityID=817093-MS03-011&privacyAPI32=x292.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://prklic.t.rack.cc/hp.php (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=fntldr.exe C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
O1 - Hosts: 69.20.16.183 xeautosearch
O1 - Hosts: 69.20.16.183 xeautosearch
O1 - Hosts: 69.20.16.183 xeautosearch
O1 - Hosts: 69.20.16.183 xuto.search.msn.com
O1 - Hosts: 69.20.16.183 xearch.netscape.com
O1 - Hosts: 69.20.16.183 xeautosearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: FFB0 - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB0} - C:\DOCUME~1\jon\LOCALS~1\Temp\mskghk.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: IExplorr29.clsIS - {54ED9B49-81D1-4866-95A6-30F01DE0047E} - c:\windows\iexplorr29.dll
O2 - BHO: IExplorr26.clsIS - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - c:\windows\iexplorr26.dll
O2 - BHO: IExplorr27.clsIS - {94326E3F-F51F-4863-A832-4ACD0D7D4BC3} - c:\windows\iexplorr27.dll
O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C6218B35-6183-42A9-8E2F-1F5AA56FD370} - C:\WINDOWS\System32\caimapi32.dll (file missing)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - c:\documents and settings\jon\local settings\temp\hpcYF4v.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Tapicfg.exe] C:\WINDOWS\System32\tapicfg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\System32\soundmx.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [iuxokejo] C:\WINDOWS\mboiwklx.exe
O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [BIOVVMS] C:\WINDOWS\BIOVVMS.exe
O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\Rydo84k.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [geTdA4] C:\documents and settings\jon\local settings\temp\geTdA4.exe
O4 - HKLM\..\Run: [msavkpk] C:\WINDOWS\System32\muqhumw.exe
O4 - HKLM\..\Run: [2Fmi35T] wownfo.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [tz] C:\documents and settings\jon\local settings\temp\tz.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\jon\Application Data\rncr.exe
O4 - HKCU\..\Run: [sf5gx1y1tx] C:\WINDOWS\osmkypaw6m.exe
O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RCT2_TT.exe] C:\DOCUME~1\jon\MYDOCU~1\RCT2_T~1.EXE /r
O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: WebWorks Help 3.0 - file://E:\Documentation\WebDoc\wwhelp3.cab
O16 - DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} (X4 Control) - http://24.234.227.102/XHD.cab
O16 - DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} (Rm Control) - http://24.234.227.102/RM.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
O19 - User stylesheet: (file missing)

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Have you run Adaware and Spybot yet? I'm having a look at what needs to go.
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    Open Task Manager & end process on the following:
    geTdA4.exe
    tz.exe

    Go to C:\documents and settings\jon\local settings\temp and delete the entire contents of that folder. Hidden files\folders will need to be unhidden.

    Download CWShredder 2 from here. Run it and press the *fix,* not scan and allow it to clean the infection.

    Post another log. Run Adaware and Spybot if you haven't already. That should make it easier to go through :).
  • STARS
    edited December 2004
    I did what you said and heres my new log.
    Logfile of HijackThis v1.98.2
    Scan saved at 9:57:26 AM, on 12/22/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\ScsiAccess.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
    C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Lexmark 3100 Series\lxbrcmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    C:\lotus\smartctr\suitest.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prklic.t.rack.cc/sp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prklic.t.rack.cc/sp.php (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prklic.t.rack.cc/sp.php (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prklic.t.rack.cc/sp.php (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://prklic.t.rack.cc/hp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prklic.t.rack.cc/sp.php (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prklic.t.rack.cc/sp.php (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = C:\WINDOWS\system32\securityID=817093-MS03-011&privacyAPI32=x292.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://prklic.t.rack.cc/hp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O1 - Hosts: 69.20.16.183 xeautosearch
    O1 - Hosts: 69.20.16.183 xeautosearch
    O1 - Hosts: 69.20.16.183 xeautosearch
    O1 - Hosts: 69.20.16.183 xuto.search.msn.com
    O1 - Hosts: 69.20.16.183 xearch.netscape.com
    O1 - Hosts: 69.20.16.183 xeautosearch
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
    O2 - BHO: FFB0 - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB0} - C:\DOCUME~1\jon\LOCALS~1\Temp\mskghk.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: IExplorr29.clsIS - {54ED9B49-81D1-4866-95A6-30F01DE0047E} - c:\windows\iexplorr29.dll
    O2 - BHO: IExplorr26.clsIS - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - c:\windows\iexplorr26.dll
    O2 - BHO: IExplorr27.clsIS - {94326E3F-F51F-4863-A832-4ACD0D7D4BC3} - c:\windows\iexplorr27.dll
    O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C6218B35-6183-42A9-8E2F-1F5AA56FD370} - C:\WINDOWS\System32\caimapi32.dll (file missing)
    O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - c:\documents and settings\jon\local settings\temp\hpcYF4v.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
    O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
    O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
    O4 - HKLM\..\Run: [iuxokejo] C:\WINDOWS\mboiwklx.exe
    O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
    O4 - HKLM\..\Run: [BIOVVMS] C:\WINDOWS\BIOVVMS.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\Rydo84k.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [msavkpk] C:\WINDOWS\System32\muqhumw.exe
    O4 - HKLM\..\Run: [2Fmi35T] wownfo.exe
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [tz] C:\documents and settings\jon\local settings\temp\tz.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\jon\Application Data\rncr.exe
    O4 - HKCU\..\Run: [sf5gx1y1tx] C:\WINDOWS\osmkypaw6m.exe
    O4 - HKCU\..\Run: [PopUpStopperCompanion] "C:\Program Files\Panicware\Pop-Up Stopper Companion\PSComp.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [RCT2_TT.exe] C:\DOCUME~1\jon\MYDOCU~1\RCT2_T~1.EXE /r
    O4 - Startup: Lotus SuiteStart.lnk = C:\lotus\smartctr\suitest.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: WebWorks Help 3.0 - file://E:\Documentation\WebDoc\wwhelp3.cab
    O16 - DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} (X4 Control) - http://24.234.227.102/XHD.cab
    O16 - DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} (Rm Control) - http://24.234.227.102/RM.cab
    O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
    O19 - User stylesheet: (file missing)
  • SpywareShooterSpywareShooter 127.0.0.1
    edited December 2004
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prklic.t.rack.cc/sp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prklic.t.rack.cc/sp.php (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prklic.t.rack.cc/sp.php (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prklic.t.rack.cc/sp.php (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://prklic.t.rack.cc/hp.php (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prklic.t.rack.cc/sp.php (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prklic.t.rack.cc/sp.php (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = C:\WINDOWS\system32\securityID=817093-MS03-011&privacyAPI32=x292.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://prklic.t.rack.cc/hp.php (obfuscated)
    O1 - Hosts: 69.20.16.183 xeautosearch
    O1 - Hosts: 69.20.16.183 xeautosearch
    O1 - Hosts: 69.20.16.183 xeautosearch
    O1 - Hosts: 69.20.16.183 xuto.search.msn.com
    O1 - Hosts: 69.20.16.183 xearch.netscape.com
    O1 - Hosts: 69.20.16.183 xeautosearch
    O2 - BHO: FFB0 - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFB0} - C:\DOCUME~1\jon\LOCALS~1\Temp\mskghk.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: IExplorr29.clsIS - {54ED9B49-81D1-4866-95A6-30F01DE0047E} - c:\windows\iexplorr29.dll
    O2 - BHO: IExplorr26.clsIS - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - c:\windows\iexplorr26.dll
    O2 - BHO: IExplorr27.clsIS - {94326E3F-F51F-4863-A832-4ACD0D7D4BC3} - c:\windows\iexplorr27.dll
    O2 - BHO: EventHandler Class - {9FB534E3-67CB-4307-AE0A-9E8B5581BE2C} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O3 - Toolbar: Windows Search Bar - {A1DD937D-71E1-4BB5-BD5D-1B01B9CB1C2F} - C:\PROGRA~1\WINDOW~4\WinSB1.dll
    O4 - HKLM\..\Run: [iuxokejo] C:\WINDOWS\mboiwklx.exe
    O4 - HKLM\..\Run: [rb32 ml710e] "C:\Program Files\RapidBlaster\rb32.exe"
    O4 - HKLM\..\Run: [BIOVVMS] C:\WINDOWS\BIOVVMS.exe
    O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\Rydo84k.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [msavkpk] C:\WINDOWS\System32\muqhumw.exe
    O4 - HKLM\..\Run: [2Fmi35T] wownfo.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
    O4 - HKLM\..\Run: [tz] C:\documents and settings\jon\local settings\temp\tz.exe
    O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\jon\Application Data\rncr.exe
    O4 - HKCU\..\Run: [sf5gx1y1tx] C:\WINDOWS\osmkypaw6m.exe
    O4 - HKCU\..\Run: [RCT2_TT.exe] C:\DOCUME~1\jon\MYDOCU~1\RCT2_T~1.EXE /r

    Fix those entries then find and delete the files listed above, reboot and post a new log.
  • STARS
    edited December 2004
    Thanks for all your help. How do i find and delete the stuff???
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2004
    If, for instance, this is the one fixed C:\Program Files\Web_Rebates\WebRebates0.exe what you do is open Windows Explorer (not Internet Explorer) and work your way to C:\Program Files and delete the Web_rebates folder.
Sign In or Register to comment.