Skip to main content

chadwinn

2 Posts

October 4th, 2005 00:00

What have you tried to get rid of it? Will it boot at all into the OS?

dobhar

1.1K Posts

October 4th, 2005 18:00

Hi...

My name is dobhar and I will be looking over your log. Looks like you have some "Nasties" so please give me some time to go look it over and I will post back as soon as possible. If you have any questions please post back as a reply to this Thread\Topic and I will be advised by email so I can return and help you. Do not start another Thread\Topic.

Thank You,

A920

14 Posts

October 4th, 2005 20:00

dude i dont know what OS is im just 13 so please when u tell me something please tell me all the steps. thank you so much for attending me :smileyvery-happy:

dobhar

1.1K Posts

October 5th, 2005 05:00

Hi A920...

You posted => " dude i dont know what OS is im just 13 so please when u tell me something please tell me all the steps". OS means Operating System...like Windows XP.

You have a couple Nasties...like a LOP Infection...

I first have a question...as per the entry below, what is 2locks.exe. I cannot find any info on this file
O4 - HKCU\..\Run: [mags fork] C:\DOCUME~1\Elin_2\APPLIC~1\BOOKMA~1\2locks.exe

Let's get to it...
__________________________________________________________________

Please print out or copy these instructions\tutorials to Notepad as the internet will not be (while in Safe Mode) availble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
________________________________________________________________________

Step 1.
==========
We need to uninstall some programs (if found in list) using " Add or Remove Programs" in the Control Panel:
- Get into Control Panel.
- Double-click " Add or Remove Programs".
- Look in the Currently installed programs box for each program listed below and if it is there:
- Click on it to select it.
- Click " Change/Remove" (or " Change") button.
- If you are prompted to confirm the removal of the program, click " Yes"

Lop.com
LOP SEARCH
Window Searching
Window Active
Search Plugin
Browser Enhance r
Brows er Enhancer
Ultimate Browse r Enhancer
Ultimate Browser En hancer
L.O P. Un insta11
L O.P. Un instal1
Live 0n line Portal
Live.0nli ne Porta1

Step 2.
==========
- Open Microsoft AntiSpyware.
- Click on Tools, Settings.
- In the left pane, click on Real-time Protection.
- Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
- After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
- Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Step 3.
==========
- Start Notepad
- Copy/paste the following BOLD text below into a new Notepad text file.

Quote:
@ECHO OFF
dir %Windir%\tasks /a h > files.txt
notepad files.txt
del /q files.txt

- Save it to your Desktop as findjobs.bat.
- File Name: findjobs.bat; Save it as: File Type: All Files (*.*) (Note: not as a text document or it wont work)
- Locate the findjobs.bat on your Desktop and double-click it
- When notepad opens, copy/paste the content in your next reply
- When you close Notepad the CMD window will close automatically and the text file will be deleted.

Step 4.
==========
- Reboot computer into " Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item
(Note: For additional help in booting into Safe Mode, see the following site - http://www.pchell.com/support/safemode.shtml)

Step 5.
==========
We need to make sure all Hidden Files are showing so please:
* Open " My Computer" then click on " Tools" and from the drop down menu select " Folder Options".
* Select the " View" tab.
* Under the " Hidden files and folders" heading SELECT " Show hidden files and folders".
* UNCHECK the " Hide file extensions for known types option".
* UNCHECK the " Hide protected operating system files (recommended) option".
* Click " Yes" to confirm.
* Click " OK"

Step 6.
==========
- Make sure Microsoft Antispyware is disabled
- Close all Windows and programs
- Run HijackThis...
- Select\check the following entries, Double-check to make sure that only these entries are checked...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.ucywfoytvdrczdzpusw.net/wXeVj3oWIHuNM5QaHVMJUN1mmqRxbK/qMHXT8JF8OmWkKi_nDMdsizXYeKwHF4ob.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.42.87.219/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.42.87.219/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.42.87.219/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab

- Click the " Fix checked" button...
- Close HijackThis

Step 7.
==========
We now need to cleanup all the Temp, Temorary Internet Files, Recycle Bin, etc...
- Start the CCleaner program
- Get into " Options" => Select " Advanced" => Deselect\uncheck " Only delete files in Windows Temp folders older than 48 hours"
- We are only going to work with the "Cleaner" section. (Note: Do not use the "Issues" section)
- click on the Run Cleaner button in the lower right-hand corner
- After complete close program
- Make sure the recycle Bin is empty

Step 8.
==========
Run Panda's online virus scan from http://www.pandasoftware.com/products/activescan.htm and perform a full system scan.
- Once you are on the Panda site click the " Scan your PC" button
- A new window will open...click the big " Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on " Local Disks" to start the scan
- Post Panda scan results in your next reply

Step 9.
==========
- Reboot your computer back into " Normal Mode"
- Post back a fresh new HijackThis log
- Post back the Panda ActiveScan results
- Post "Findjobs" results
- Make sure you have re-enabled MSAS (Microsoft Antispyware)

Message Edited by dobhar on 10-05-2005 01:20 AM

dobhar

1.1K Posts

October 12th, 2005 21:00

It has been 7 days since I last heard from you. I will be monitoring this thread for another 7 days. If unanswered at the end of those 7 days I will be considering this topic closed and will not be monitoring it for replies.

Thank You,

A920

14 Posts

October 12th, 2005 22:00

sorry well this is what i got man....i couldnt do the panda thing because it kept on freezing and it often closed on its own so i got angry and didnt try it again. tried it about 6 times....


This is the Findjobs.bat thing:

 Volume in drive C has no label.
 Volume Serial Number is AC26-01C5
 Directory of C:\WINDOWS\tasks
10/12/2005  02:53 PM              .
10/12/2005  02:53 PM              ..
10/12/2005  07:00 PM               266 AF16F5D6918967B6.job
08/23/2001  08:00 AM                65 desktop.ini
10/12/2005  02:41 PM                 6 SA.DAT
10/12/2005  05:50 PM               366 Symantec NetDetect.job
               4 File(s)            703 bytes
 Directory of C:\Documents and Settings\Elin_2\Desktop

My Hijackthis file:

Logfile of HijackThis v1.99.1
Scan saved at 7:38:30 PM, on 10/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\MSN\MSNCoreFiles\MSN.EXE
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wvhlinpihrni.org/vuGTGj6mnBsBHfmXSLytjCGvoLcFw3jhpBZuEwK1_FBxMcNILdY1i3idxkOdUr99.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sczhirayxkwiqys.com/vuGTGj6mnBuF_4K45ymbHm5w_zTgpFEANdh4rAcXihs.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://aimhome.netscape.com/aimhome.adp
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D8599BF0-2119-235F-A8D9-4762343D84F7} - C:\DOCUME~1\Elin_2\APPLIC~1\CORNLO~1\ooze gpl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [barb internet enc creative] C:\Documents and Settings\All Users\Application Data\ListMathBarbInternet\Vga Download.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mags fork] C:\DOCUME~1\Elin_2\APPLIC~1\BOOKMA~1\2locks.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZG
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128182398218
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
 

dobhar

1.1K Posts

October 13th, 2005 21:00

Hi A920...

First of all please do not wait 7 days before replying back...The fixes I tell you to do on day 1 may not work on day 7. If you want you PC cleaned up I would really appreciate that you reply back as soon as possible or if you cannot run the fixes for a few days can you please let me know.

Thanks,
__________________________________________________

Before we go any further I need to know a few things...

1) Have you installed some software since your last log? I am seeing items in it that I did not see before.
- Your version of BearShare...is it the paid or free version. The free version has spyware or other unwanted parasites bundled into it. I'm guessing you installed the "FREE" version as you now have the WhenUSave "Nasty" installed on your PC.
Please have a look at this SpywareInfo page => http://www.spywareinfo.com/articles/p2p/

- "barb internet enc creative"...Can you tell me what this is... Vga Download.exe

- "C:\DOCUME~1\Elin_2\APPLIC~1\CORNLO~1\ooze gpl.exe"...Can you tell me what this is. I'm pretty sure this is a "Nasty" but I need to be positive. What is the full name for the folder "CORNLO~1". You will find it in "C:\Documents and Settings\Elin_2\Application Data\CORNLOxxxxxxx <<<= Please fill in the x's

- I asked you in my last post if you knew what this was - 2locks.exe. I'm also pretty sure this is also a "Nasty" but once again I need to make sure. What is the full name of the folder "BOOKMA~1". You will find it in C:\Documents and Settings\Elin_2\Application Data\BOOKMAxxxxx <<<= Please fill in the x's


2) After going through your HijackThis log I am not seeing any evidence of an Antivirus program installed on your PC. That is not good. :( You need an AV installed immediately otherwise your just going to get infected again and we would be doing this all over again. I can recommend a good "FREE" (also spyware free) AV program called AVG 7.0. It is quite easy to install. Please download and install AVG 7.0 from...
- Download AVG 7.0 location => http://free.grisoft.com/softw/70free/setup/avg70free_344a618.exe
- A Reference Guide can be found (note: It is in PDF format...Adobe Reader is needed => http://free.grisoft.com/softw/70free/doc/avg_fre_ref_en_70_12.pdf
_______________________________________

Please reply back as soon as possible with answers to my questions. Also after installing AVG 7.0 please post back a fresh new HijackThis log.

Thanks A920...

Cya... :)

dobhar

1.1K Posts

October 21st, 2005 23:00

This Thread\Topic is closed due to lack of responce from poster. I have stopped monitoring it for replies. If you still require assistance please start a new thread and post a fresh new HijackThis log. One of our volunteers will be glad to help you. :)

Thank You and Safe Surfing... :)

Was this post helpful?

View All

No Events found!

Top