Options
Help Needed
Hi Everyone
I have a problem!
my Computer has been infected with the Home Search Assistent, Search Extender and the Shopping Wizard... I have run Ad-Aware several times now. But the browser still connects me to about:blank. Can anyone please help me.
This is the Safe Mode Log file
Logfile of HijackThis v1.99.0
Scan saved at 14:50:15, on 28-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netoi.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ntupd32] C:\WINDOWS\system32\ntupd32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Programmer\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p None -pn "" -n 1 -l 1030 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [netjl.exe] C:\WINDOWS\netjl.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [d3ic32.exe] C:\WINDOWS\system32\d3ic32.exe
O4 - HKLM\..\RunOnce: [winrq.exe] C:\WINDOWS\system32\winrq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O15 - Trusted IP range: (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00620BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2000ib100.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00625BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2500ib100.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Programmer\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\d3ic32.exe
I Hope you can help me
I have a problem!
my Computer has been infected with the Home Search Assistent, Search Extender and the Shopping Wizard... I have run Ad-Aware several times now. But the browser still connects me to about:blank. Can anyone please help me.This is the Safe Mode Log file
Logfile of HijackThis v1.99.0
Scan saved at 14:50:15, on 28-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signon.stofanet.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netoi.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ntupd32] C:\WINDOWS\system32\ntupd32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Programmer\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p None -pn "" -n 1 -l 1030 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [netjl.exe] C:\WINDOWS\netjl.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [d3ic32.exe] C:\WINDOWS\system32\d3ic32.exe
O4 - HKLM\..\RunOnce: [winrq.exe] C:\WINDOWS\system32\winrq.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O15 - Trusted IP range: (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00620BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2000ib100.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00625BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2500ib100.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Programmer\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\d3ic32.exe
I Hope you can help me
0
Comments
When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and make sure that you can view hidden files and folders.
Close all open windows and run Hijack This again. Check the below entries and click on Fix Checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pwbvs.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4A7341EB-80CF-9F8F-8388-6D50AD0366BF} - C:\WINDOWS\system32\netoi.dll
O4 - HKLM\..\Run: [ntupd32] C:\WINDOWS\system32\ntupd32.exe
O4 - HKLM\..\Run: [netjl.exe] C:\WINDOWS\netjl.exe
O4 - HKLM\..\RunOnce: [d3ic32.exe] C:\WINDOWS\system32\d3ic32.exe
O4 - HKLM\..\RunOnce: [winrq.exe] C:\WINDOWS\system32\winrq.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe (file missing)
O15 - Trusted IP range: (HKLM)
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\d3ic32.exe
Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive.
To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'.
Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted.
While still in Safe Mode, run a search and make sure that all of the below files in bold have been deleted (if not delete them):
C:\WINDOWS\pwbvs.dll<----file
C:\WINDOWS\system32\netoi.dll<----file
C:\WINDOWS\system32\ntupd32.exe<----file
C:\WINDOWS\netjl.exe<----file
C:\WINDOWS\system32\d3ic32.exe<----file
C:\WINDOWS\system32\winrq.exe<----file
Reboot, reset your Home Page and run a Housecall scan. It will get rid of any remaining files. Post a new Hijack This log (and your About Buster log).
I have done what you said, and it seems to be gone.
But here is the new HijackThis logfile and About Buster log.
Logfile of HijackThis v1.99.0
Scan saved at 19:58:48, on 01/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programmer\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Programmer\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Programmer\Microsoft AntiSpyware\gcasServ.exe
C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmer\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://0cj.net/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Programmer\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p None -pn "" -n 1 -l 1030 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [msnm.exe] C:\WINDOWS\msnm.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00620BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2000ib100.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00625BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2500ib100.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Programmer\Trend Micro\PC-cillin 2000\Tmntsrv.exe
Scan 2
About:Buster Version 4.0
Reference List : 23
Removed Data Streams:
C:\WINDOWS\drwatson.log:oevrc
C:\WINDOWS\explorer.scf:zgycy
C:\WINDOWS\IEPatchUninstall.log:kxgzi
C:\WINDOWS\mmwork.exe:mptly
C:\WINDOWS\nsreg.dat:ddcrp
C:\WINDOWS\ODBC.INI:pwewt
C:\WINDOWS\POCE98.DLL:wsptn
C:\WINDOWS\REGLOCS.OLD:uazlt
C:\WINDOWS\sdqij.dll:icnfd
C:\WINDOWS\System.ipe:nqvdv
Attempted Clean Of Temp folder.
Pages Reset... Done!
I Hope this is the end of this virus.
Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
O4 - HKLM\..\Run: [msnm.exe] C:\WINDOWS\msnm.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
Reboot into safe mode and delete the following;
C:\WINDOWS\msnm.exe<----file
Reboot normally after doing the above, rescan with hijackthis, then post that log here please.
When i run a scan in my Adaware SE the virus do not show anymore.
But here is the latest HijackThis logfile:
Logfile of HijackThis v1.99.0
Scan saved at 16:55:04, on 01/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programmer\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Programmer\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Programmer\Microsoft AntiSpyware\gcasServ.exe
C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programmer\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programmer\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programmer\MSN Messenger\msnmsgr.exe
C:\Programmer\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\HijackThis\HijackThis.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Programmer\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programmer\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Programmer\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Programmer\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HPLJ Config] C:\Programmer\Hewlett-Packard\hp LaserJet 1160_1320 series\SetConfig.exe -c Direct -p None -pn "" -n 1 -l 1030 -sl 120000
O4 - HKLM\..\Run: [HP Software Update] "C:\Programmer\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Programmer\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00620BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2000ib100.cab
O16 - DPF: {1A8790BD-AEBD-11BD-A2BD-00625BD00021} (N›rresundby Banks Netbank) - https://www.nrsbank.dk/snrsbankibp2500ib100.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Programmer\Trend Micro\PC-cillin 2000\Tmntsrv.exe
The About:Buster did not find anything.
Thank you very much for your help.
Note that all entries in the restricted zone will be deleted too.
Other than that your log looks good.
This solved the problem, im now virus free
your help was appriciated.