I ran the CW Shredder version 1.59.1...it removed a handful of files...heres the new list. Thanks a million.
trmthree
Logfile of HijackThis v1.97.7
Scan saved at 12:44:42 PM, on 6/29/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
and use these instructions to uninstall newdotnet. Try it twice please. ========================= You do have other things wrong, but that is the next worst - as it can break the internet connection that you use to get online.
Please post back with a new hijackthis log when done.
Please note hijackthis has now been updated - please use the update feature to get v1.98.0 or download the new version from www.zerosrealm.com (downlaods page).
after removing new.net...could'nt find file folder labeled: Tldctl2c Class in Downloaded Program Files window to remove that. Harmless? Here's updated list. Thanks.
trmthree
Logfile of HijackThis v1.98.0
Scan saved at 11:53:31 AM, on 6/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
completed pandasoft online scan & new CWShredder scan...Here's the new list. Thanks.
trmthree
Logfile of HijackThis v1.98.0
Scan saved at 2:46:55 PM, on 6/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Ran about:buster...about:blank looks to be gone...however Owebsearch and solongas came back when I rebooted. Here's the log and the new list. Thanks.
trmthree
About:Buster Version 1.23
Attempted Clean Of Temp folder.
Pages Reset... Done!
Logfile of HijackThis v1.98.0
Scan saved at 6:06:52 PM, on 6/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
What you had was several infections all competing for the main keys in your system. We needed to clean the worst out first. Now we can do the rest. ======================== Download then unzip and run CWShredder to clean up clicking FIX to have it remove all it finds.
============================= In hijackthis - config - misc tools - process view Find these processes and 'Unload' them if running.
dmserver.exe wupdater.exe Belt.exe istsvc.exe wupdt.exe WINSTA~1.EXE services.exe (care - might be more that one - if so leave) NDrv.exe OURTOE.exe mmod.exe image.dll aomm.exe gd-dial.exe winlogin.exe (Care as above)
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
Then Reboot to safe mode (F8 on boot) and delete the following files/folders:- (See items 8 & 9 from this link for details of safe mode and viewing hidden files http://www.russelltexas.com/malware/faqhijackthis.htm )
ChrisRLG
3.9K Posts
0
June 28th, 2004 21:00
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.
CWShredder available from :-
(make sure it is version 1.59.1 - if not use the update feature to get the latest.)
http://www.zerosrealm.com/downloads.php
http://www.merijn.org/files/cwshredder.zip
http://www.aluriasoftware.com/tools/cwshredder.zip
Please run it in safe mode (F8 at boot/computer startup)
please post a new hijackthis log after a reboot.
trmthree
5 Posts
0
June 29th, 2004 17:00
trmthree
Logfile of HijackThis v1.97.7
Scan saved at 12:44:42 PM, on 6/29/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inetdata\services.exe
C:\WINNT\System32\PRISMSTA.EXE
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\System32\rundll32.exe
C:\PROGRA~1\ezula\mmod.exe
C:\program files\GlobalDialer\domer00114\gd-dial.exe
C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
C:\WINNT\System32\NDrv.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.puh.ru/search.html
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F1 - win.ini: run=C:\WINNT\inetdata\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINNT\inetdata\1.00.03.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINNT\System32\msd5ioymt9jl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [System Tray] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\W7SZYR0Z\your_details.pif
O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\8HMROXY3\documents.pif
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\gd-dial.exe -remove
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [Esea] C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe
O4 - HKCU\..\Run: [SEUHMIADVJ] C:\WINNT\WNTOSBXQV.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.greg-search.com
O15 - Trusted Zone: www.mt-download.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINNT\color.css
ChrisRLG
3.9K Posts
0
June 30th, 2004 09:00
Those 'handful of files' are some of the most difficault to remove.
Please visit http://www.new.net/help_faq.tp#p5
and use these instructions to uninstall newdotnet.
Try it twice please.
=========================
You do have other things wrong, but that is the next worst - as it can break the internet connection that you use to get online.
Please post back with a new hijackthis log when done.
Please note hijackthis has now been updated - please use the update feature to get v1.98.0 or download the new version from www.zerosrealm.com (downlaods page).
trmthree
5 Posts
0
June 30th, 2004 16:00
trmthree
Logfile of HijackThis v1.98.0
Scan saved at 11:53:31 AM, on 6/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inetdata\services.exe
C:\WINNT\System32\PRISMSTA.EXE
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\PROGRA~1\ezula\mmod.exe
C:\program files\GlobalDialer\domer00114\gd-dial.exe
C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
C:\WINNT\System32\NDrv.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINNT\inetdata\1.00.03.dll
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINNT\System32\msd5ioymt9jl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [System Tray] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\W7SZYR0Z\your_details.pif
O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\8HMROXY3\documents.pif
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\gd-dial.exe -remove
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [Esea] C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe
O4 - HKCU\..\Run: [SIFXXNJVBW] C:\WINNT\SAKKRVQEP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.greg-search.com
O15 - Trusted Zone: www.mt-download.com
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O18 - Filter: text/plain - {87D1BA7F-A790-49F9-B8F9-5B693025118A} - C:\WINNT\System32\ncnkbba.dll
O19 - User stylesheet: C:\WINNT\color.css
ChrisRLG
3.9K Posts
0
June 30th, 2004 18:00
The about:Blank infection did not go it seems - or it came back.
Could you do these two things - pandasoft online scan - and a new CWShredder scan - details on this post.
http://forums.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=17212
Then post a new hijackthis log for me please.
trmthree
5 Posts
0
June 30th, 2004 19:00
trmthree
Logfile of HijackThis v1.98.0
Scan saved at 2:46:55 PM, on 6/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\inetdata\services.exe
C:\WINNT\System32\PRISMSTA.EXE
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\PROGRA~1\ezula\mmod.exe
C:\program files\GlobalDialer\domer00114\gd-dial.exe
C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
C:\WINNT\System32\NDrv.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINNT\System32\msd5ioymt9jl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [System Tray] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\W7SZYR0Z\your_details.pif
O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\8HMROXY3\documents.pif
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\gd-dial.exe -remove
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [Esea] C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe
O4 - HKCU\..\Run: [SIFXXNJVBW] C:\WINNT\SAKKRVQEP.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.greg-search.com
O15 - Trusted Zone: www.mt-download.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O19 - User stylesheet: C:\WINNT\color.css
ChrisRLG
3.9K Posts
0
June 30th, 2004 20:00
Please download this tool called About:Buster from:
http://www.downloads.subratam.org/AboutBuster.zip
Unzip it to your desktop but don't run it yet.
Now start Hijackthis and tick the boxes next to these items:
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\RMONTG~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINNT\System32\msd5ioymt9jl.dll
O4 - HKLM\..\Run: [System Tray] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\W7SZYR0Z\your_details.pif
O4 - HKLM\..\Run: [System MScvb] C:\Documents and Settings\rmontgomery\Local Settings\Temporary Internet Files\Content.IE5\8HMROXY3\documents.pif
Now close ALL windows and hit fix checked.
Do not open internet explorer to come back here until after running the tool.
Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
Once the tool is done scanning, copy the log and paste it into your thread.
Restart your computer and post the report and a new Hijack this log.
trmthree
5 Posts
0
June 30th, 2004 23:00
trmthree
About:Buster Version 1.23
Attempted Clean Of Temp folder.
Pages Reset... Done!
Logfile of HijackThis v1.98.0
Scan saved at 6:06:52 PM, on 6/30/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PRISMSTA.EXE
C:\WINNT\System32\wfxsnt40.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINNT\inetdata\services.exe
C:\PROGRA~1\ezula\mmod.exe
C:\program files\GlobalDialer\domer00114\gd-dial.exe
C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
C:\WINNT\System32\NDrv.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\gd-dial.exe -remove
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [Esea] C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe
O4 - HKCU\..\Run: [PMKNSTB] C:\WINNT\OURTOE.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O15 - Trusted Zone: *.greg-search.com
O15 - Trusted Zone: www.mt-download.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O19 - User stylesheet: C:\WINNT\color.css
ChrisRLG
3.9K Posts
0
July 1st, 2004 07:00
What you had was several infections all competing for the main keys in your system. We needed to clean the worst out first. Now we can do the rest.
========================
Download then unzip and run CWShredder to clean up clicking FIX to have it remove all it finds.
cwshredder from here
or from here
or download page from here
Please run in safe mode (F8 at boot time)
How to start the computer in Safe mode
=============================
In hijackthis - config - misc tools - process view
Find these processes and 'Unload' them if running.
dmserver.exe
wupdater.exe
Belt.exe
istsvc.exe
wupdt.exe
WINSTA~1.EXE
services.exe (care - might be more that one - if so leave)
NDrv.exe
OURTOE.exe
mmod.exe
image.dll
aomm.exe
gd-dial.exe
winlogin.exe (Care as above)
Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://0websearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Belt] C:\WINNT\Belt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [WINSTA~1.EXE] C:\WINNT\System\WINSTA~1.EXE -b
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inetdata\services.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe
O4 - HKCU\..\Run: [PMKNSTB] C:\WINNT\OURTOE.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Esea] C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\domer00114\gd-dial.exe -remove
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Optional resource hog)
O4 - Global Startup: winlogin.exe
O9 - Extra button: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
(These two Trusted zones - unless you know and trust them)
O15 - Trusted Zone: *.greg-search.com
O15 - Trusted Zone: www.mt-download.com
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINNT\msopt.dll
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O19 - User stylesheet: C:\WINNT\color.css
The following are part of the CWS infection and CWShredder should have removed, if still in the log please check for removal.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://solongas.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://solongas.com/sp.htm?id=9
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} (ActiveFormX Control) - https://widow1.factualdata.com/ocx/print3.ocx
Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-
(See items 8 & 9 from this link for details of safe mode and viewing hidden files
http://www.russelltexas.com/malware/faqhijackthis.htm )
Folder > C:\PROGRA~1\COMETS~1\
Folder > C:\Program Files\Common files\updater\
File > > C:\WINNT\Belt.exe
Folder > C:\Program Files\ISTsvc\
File > > C:\WINNT\wupdt.exe
File > > C:\WINNT\System\WINSTA~1.EXE
Folder > C:\WINNT\inetdata\
File > > C:\WINNT\System32\NDrv.exe
File > > C:\WINNT\OURTOE.exe
Folder > C:\PROGRA~1\ezula\
File > > image.dll (Probably in c:\winnt or c:\winnt\system32)
File > > C:\Documents and Settings\rmontgomery\Application Data\aomm.exe
Folder > c:\program files\GlobalDialer\
Then Reboot and post a fresh log for me to check.