Hosts, Can't run HJT, Can't open regedit

RyanM84RyanM84
edited August 2005 in Spyware & Virus Removal
I can run HJT in safe mode (sorry, file at home) and find 101 hosts sitting on my computer. I delete them, run AdAware and AboutBuster, delete anything that looks malicious.
However, in normal mode, HJT and Regedit both appear for a quick second onscreen and I can't get either to open. Also, when online, it takes quite some time for my browser to open and i see another window attempting to connect to www.knu... Any ideas??
The hosts are all banks and fake sites like wvw.paypal.com. What do I have on my computer?

Comments

  • Shadow2018Shadow2018 Northwest Missouri
    edited August 2005
    Without seeing your Hijack This log it is would be pure speculation as to what you may have. Therefore we could not tell you how to fix it without seeing your log. A HJT log run while in safe mode would be sufficient for now.
  • RyanM84RyanM84
    edited August 2005
    I will have to save a copy of the hjt log from my safe mode from last night. I will copy it here ASAP.
    Are there some programs that won't allow you to do certain functions anymore or tie up so much memory that those functions appear to not work?
  • RyanM84RyanM84
    edited August 2005
    Here is the latest file, done in safe mode since HJT won't open in regular. I basically have no internet access. I get the peoplepc start page, but can't open anything beyond it.


    Logfile of HijackThis v1.99.1
    Scan saved at 6:09:06 PM, on 8/3/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dxdmain.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\ryan\Desktop\Spyware\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Msxml32DOMDocument Class - {6E28339B-7A2A-47B6-AEB2-46BA53782379} - C:\WINDOWS\System32\dllcache\msxml32.dll
    O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar_6.2.0.11.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar_6.2.0.11.dll
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6130\BIN\PPCOLink.exe -STATION
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
    O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
    O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\System32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ryan\LOCALS~1\Temp\IXP000.TMP\"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
    O23 - Service: DirectX Graphics (dxdmain) - Unknown owner - C:\WINDOWS\System32\dxdmain.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
  • RyanM84RyanM84
    edited August 2005
    One more note, I tried to load xp SP3 last night and got an error when loading regarding wextract_cleanup0 rundll32.exe - not found. It's one of the HKCU entries above. Any suggestions?
  • Shadow2018Shadow2018 Northwest Missouri
    edited August 2005
    Run activescan from Panda software and post the results here with a new HJT log. You should have an option to bootinto safe mode with networking. i have never tried running panda's activescan in safe mode so not positive it will work.

    http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
  • RyanM84RyanM84
    edited August 2005
    I believe all hidden files are shown. I think I flipped that switch before and never put it back.
  • Shadow2018Shadow2018 Northwest Missouri
    edited August 2005
    See my previous post.
Sign In or Register to comment.