Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Jyounya

33 Posts

739

May 26th, 2005 18:00

please Help me with this log

Logfile of HijackThis v1.99.1
Scan saved at 2:33:39 PM, on 5/26/2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\installer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\winppr32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\win32.exe
C:\WINDOWS\System32\nw1im.exe
c:\windows\system32\zrdnnyc.exe
C:\Documents and Settings\Jason M Solomon\Application Data\neoc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\Services\{CA34AB2A-81A2-49BB-9EF1-9F9CFEBD96F0}\SVCHOST.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jason M Solomon\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://craftsmensearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://craftsmensearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://craftsmensearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://craftsmensearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://craftsmensearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://craftsmensearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://craftsmensearch.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://craftsmensearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://craftsmensearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://craftsmensearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://craftsmensearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://craftsmensearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://craftsmensearch.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://craftsmensearch.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O1 - Hosts: m
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsyA791.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [azmp] C:\WINDOWS\azmp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [kbxchr] c:\windows\system32\zrdnnyc.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [YB0qRWHtQ] nw1im.exe
O4 - HKCU\..\Run: [Tero] C:\Documents and Settings\Jason M Solomon\Application Data\neoc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O13 - DefaultPrefix: http://craftsmensearch.com/gall.php?url=
O13 - WWW Prefix: http://craftsmensearch.com/gall.php?url=
O13 - Home Prefix: http://craftsmensearch.com/gall.php?url=
O13 - Mosaic Prefix: http://craftsmensearch.com/gall.php?url=
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O21 - SSODL: System - {D7DCE32E-88C3-417F-8613-B81ACFAB477C} - vr_sys.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINDOWS\System32\installer.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
 
on a side note: certian words on webpages are higlighted as hyperlinks ie: download, you, start, line , body.....and Aurora pop ups pop up all the time...and I cannot save my own personal home page default...
 
Thanks for your help
 
~Jay

zbestwun2001

4 Apprentice

 • 

8.8K Posts

May 26th, 2005 18:00

Hi and welcome,

I bet your system is driving you nuts!
Let's fix it!!

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:

http://www.noidea.us/easyfile/file.php?download=20050515010747824

Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and
icons will disappear and reappear, and a window should open and close
very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:


F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Steve

Jyounya

33 Posts

May 26th, 2005 19:00

I went to ewido's website but went I put the mouse cursor over the hyperlink Start download...it showed it was going to direct me to clicksearchclick.com ...and there were other words on the we page high lighted , like body, download, run, start, and other words as well

zbestwun2001

4 Apprentice

 • 

8.8K Posts

May 26th, 2005 20:00

OK
Let's do this backwards. I know that the Nail infection will be there waiting for us with open arms when we are done doing this.

Let's continue on with the fix...

-

Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.


When we're done cleaning off your system, i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many ' problems' from reoccuring in the future.


Download LSPFix and unzip to your desktop, then run it. Now, we need to:

1. check(tick) " I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:

inetadpt.dll

3. then click " >>", moving each one, individually, to the 'Remove' pane.
4. (double-check, and make sure that only the above files are in the 'Remove'pane.)
5. click " Finish >>"



Let's download the Symantec VirtuMundo removal tool, and run it.


Run HiJackThis and click " Scan", then check(tick) the following, if present:


O1 - Hosts: 198.65.164.168 00hq.com
O1 - Hosts: 198.65.164.168 8ad.com
O1 - Hosts: 198.65.164.168 searchv.com
O1 - Hosts: 198.65.164.168 www.searchv.com
O1 - Hosts: 198.65.164.168 008k.com
O1 - Hosts: 198.65.164.168 www.008k.com
O1 - Hosts: m

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O13 - DefaultPrefix: http://craftsmensearch.com/gall.php?url=
O13 - WWW Prefix: http://craftsmensearch.com/gall.php?url=
O13 - Home Prefix: http://craftsmensearch.com/gall.php?url=
O13 - Mosaic Prefix: http://craftsmensearch.com/gall.php?url=


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

c:\windows\system32\inetadpt.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".

Now we have deleted the entries that redirect you to another site and have fixed your internet connection.

Let's see if you can get to Ewido without being redirected this time?


Post back a new log, and let me know how everything goes.
Steve

Jyounya

33 Posts

May 27th, 2005 07:00

Ok I did everything you asked, but it is still redirecting me to www.clickseacrhclick.com, and aurora pop-ups are still popping up....after doing everything on the lis from both replies this is the logs I got from HIJACKTHIS & EWIDO...I am awaiting your instructions...I really appreciate your help...
 
Logfile of HijackThis v1.99.1
Scan saved at 4:26:51 AM, on 5/27/2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\win32.exe
C:\Documents and Settings\Jason M Solomon\Application Data\neoc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\installer.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Jason M Solomon\Desktop\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [azmp] C:\WINDOWS\azmp.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [YB0qRWHtQ] nw1im.exe
O4 - HKCU\..\Run: [Tero] C:\Documents and Settings\Jason M Solomon\Application Data\neoc.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4600
O21 - SSODL: System - {D7DCE32E-88C3-417F-8613-B81ACFAB477C} - vr_sys.dll (file missing)
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINDOWS\System32\installer.exe
 
---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------
 + Created on:   3:54:40 AM, 5/27/2003
 + Report-Checksum:  E26507F7
 + Date of database:  5/27/2003
 + Version of scan engine: v3.0
 + Duration:    2 min
 + Scanned Files:   14
 + Speed:    0.09 Files/Second
 + Infected files:   9
 + Removed files:   5
 + Files put in quarantine:  5
 + Files that could not be opened: 0
 + Files that could not be cleaned: 4
 + Binder:  Yes
 + Crypter:  Yes
 + Archives:  Yes
 + Scanned items:
 Memory
 + Scan result:
 C:\WINDOWS\System32\inetadpt.dll / PID: 836 -> TrojanDownloader.TargetSoft.b -> Cleaned with backup
 C:\WINDOWS\System32\inetadpt.dll / PID: 948 -> TrojanDownloader.TargetSoft.b -> Error during cleaning
 C:\WINDOWS\system32\init32m.exe / PID: 1572 -> TrojanDownloader.Agent.ho -> Cleaned with backup
 C:\WINDOWS\System32\inetadpt.dll / PID: 1940 -> TrojanDownloader.TargetSoft.b -> Error during cleaning
 c:\windows\system32\yygesjj.exe / PID: 42596 -> Trojan.Agent.cp -> Cleaned with backup
 C:\WINDOWS\System32\Services\{4C1B4FEC-ADA0-464D-9C08-D3F80509A196}\SVCHOST.EXE / PID: 121624 -> Trojan.WebSearch.i -> Cleaned with backup
 C:\WINDOWS\System32\Services\{4C1B4FEC-ADA0-464D-9C08-D3F80509A196}\SVCHOST.DLL / PID: 121616 -> Trojan.WebSearch.j -> Cleaned with backup
 C:\WINDOWS\System32\Services\{4C1B4FEC-ADA0-464D-9C08-D3F80509A196}\SVCHOST.DLL / PID: 130616 -> Trojan.WebSearch.j -> Error during cleaning
 C:\WINDOWS\System32\Services\{4C1B4FEC-ADA0-464D-9C08-D3F80509A196}\SVCHOST.DLL / PID: 125068 -> Trojan.WebSearch.j -> Error during cleaning

::Report End

zbestwun2001

4 Apprentice

 • 

8.8K Posts

May 27th, 2005 13:00

I dont see Nail running in this log so let's just move on.

Let's continue on with the fix...

-

Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.


When we're done cleaning off your system, i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many ' problems' from reoccuring in the future.



Next, Open a command prompt by:

1. Clicking " Start", then " Run...".
2. Enter " cmd" ( without the quotes).
3. Enter " services.msc" ( without the quotes).

-

Now, locate and ' stop' the following services, if present:

Installer Service (Installer) owner ... ( C:\WINDOWS\System32\installer.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services.


Run HiJackThis then:

1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"

-

Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:

C:\WINDOWS\System32\win32.exe
C:\Documents and Settings\Jason M Solomon\Application Data\neoc.exe
C:\WINDOWS\System32\installer.exe

Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.


Run HiJackThis and click " Scan", then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.clicksearchclick.com/index.php?aff=19

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)

O4 - HKLM\..\Run: [azmp] C:\WINDOWS\azmp.exe
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [YB0qRWHtQ] nw1im.exe
O4 - HKCU\..\Run: [Tero] C:\Documents and Settings\Jason M Solomon\Application Data\neoc.exe

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=4600

O21 - SSODL: System - {D7DCE32E-88C3-417F-8613-B81ACFAB477C} - vr_sys.dll (file missing)

O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINDOWS\System32\installer.exe


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINDOWS\System32\win32.exe
C:\Documents and Settings\Jason M Solomon\Application Data\neoc.exe
C:\WINDOWS\System32\installer.exe
C:\WINDOWS\azmp.exe
C:\WINDOWS\winppr32.exe

Search for...

nw1im.exe

...using " Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Post back a new log, and let me know how everything goes.
Steve

zbestwun2001

4 Apprentice

 • 

8.8K Posts

May 27th, 2005 20:00

I'm check this out now.

Steve

Jyounya

33 Posts

May 27th, 2005 20:00

Please forgive me if I jumped the gun...as far as the Microsoft critical updates...I cant find the Update Icon to access it, when I went to Microsoft.com it says that the service pack 1 is not availible anymore...as far as C:\WINDOWS\System32\installer.exe) from services.msc...I found it, and it wouldnt stop, so I set it to manual, and it stopped...I ran HIJACKTHIS and I found the neoc.exe & win32.exe and followed instructions...but I did not see installer.exe... I ran HIJACKTHIS and fixed all the files you requested...I couldnt find azmp.exe & installer.exe (from the "explore" selection from right clicking "start")...but nw1im.exe,winppr32.exe,neoc.exe,& win32.exe were deleted...here the HIJACKTHIS log...Also my PC is not recognizing any hardware...my speakers, webcam, mic, etc...and device manager has no hardware listed in it....I am surprised the mouse and keyboard work...again I appreciate all your help...
 
Logfile of HijackThis v1.99.1
Scan saved at 4:46:30 PM, on 5/27/2003
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Jason M Solomon\Desktop\HJT\HijackThis.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [iexplore] C:\WINDOWS\System32\iexplore.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Installer Service (Installer) - Unknown owner - C:\WINDOWS\System32\installer.exe
 

Was this post helpful?

View All

No Events found!

Top