Post by: DrWu on September 11, 2004, 05:50:41 AM
I am one of the many thousands of poor shmucks out there currently having a coolsearch related nervous breakdown.
The thing keeps reinstalling itself despite CWShredder and the latest adaware.
Having followed the advice on this forum I downloaded hijackthis but wondered if anyone would be goood enough to examine my log and tell me what I need to delete?
Here it is, thanks!
Logfile of HijackThis v1.98.2
Scan saved at 11:44:23, on 18/02/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\WINDOWS\SYSTEM\HOST32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.0\STIMGBROWSER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-1...2/ogsearch.html (http://\"http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-11-IIZXP-L-0O-OLL11IZ0OIL-OL.COM/725ca17629/97681342/ogsearch.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email (http://\"http://www.Email\") Removed/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com (http://\"http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com\")
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O4 - HKLM\..\Run: [AttuneSysTrayNotifier] C:\PROGRAM FILES\AVEO\ATTUNE\BIN\ATTNNOST.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O7 "EPUSB1:" /M "Stylus C44"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [9eck] C:\WINDOWS\TEMP\9ECK.EXE
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KPF4] c:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [CRZT32.EXE] C:\WINDOWS\SYSTEM\CRZT32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NETZIP SMARTDOWNLOADER] C:\WINDOWS\SYSTEM\npnzdad.exe /t
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O4 - Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Digimax Viewer 2.0.lnk = C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)
O9 - Extra button: Antivirus - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_virus2/...d10&ver=4&t=new (http://\"http://www.accesoplugin.com/prom/a_virus2/?l=download10&ver=4&t=new\") (file missing)
O9 - Extra button: Bromas y chistes - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_bromas2...d10&ver=4&t=new (http://\"http://www.accesoplugin.com/prom/a_bromas2/?l=download10&ver=4&t=new\") (file missing)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAVI32.DLL
O12 - Plugin for .ivr: C:\PROGRA~1\INTERN~1\PLUGINS\NPRVRT32.dll
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com (http://\"http://register-tesco.qa.business.ntl.com\")
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll\")
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab (http://\"http://player.vivo.com/ie/vvweb.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26bd83c04460bb613d06/...ip/RdxIE601.cab (http://\"http://207.188.7.150/26bd83c04460bb613d06/netzip/RdxIE601.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...ireShowdown.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab\")
O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/include/pki/...SecuiTechIE.cab (http://\"http://www.samsungtechwin.com/include/pki/SecuiTechIE.cab\")
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/Mot...tivePreQual.cab (http://\"http://www.sc-server1.bt.com/broadband/MotivePreQual.cab\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...de72640af5cb44d (http://\"http://public.windupdates.com/get_file.php?bt=ie&p=30f1c668c834f8af9cb263fb5b74c6f98af721c28149e44ac3ffacace4ac126171b6c07c8ce2a968cc36afd54212a72ae45b561ccd1f0b1f0b14f9bb93ddd5:061a5725d1c04e478de72640af5cb44d\")
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplugin.com/dialercab/PPre...ternacional.cab (http://\"http://www.accesoplugin.com/dialercab/PPremiumInternacional.cab\")
Thanks again
Steve.
Post by: guestolo on September 11, 2004, 11:52:59 AM
Create a New folder on your desktop, call it Aboutbuster
Download to desktop About:Buster (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip it to that new folder===Run this later
RESTART your computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=2#_Section2\")
Find and delete these files or folders
C:\WINDOWS\SYSTEM\HOST32.EXE
c:\installer\id53.exe
C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\CRZT32.EXE
Win86.exe
win32x.exe
internat.dll <--don't confuse it with internat.exe
C:\Program Files\Common files\updmgr <--this folder
Stay in Safe mode and do another scan with hijackthis
Put a check next to these entries and then FIX CHECKED
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-1...2/ogsearch.html (http://\"http://0-OL1OIZ-XOLXII1-OXLI10OZL1L1-O-L-1...2/ogsearch.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email (http://\"http://www.Email\") Removed/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\habvs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [9eck] C:\WINDOWS\TEMP\9ECK.EXE
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [xpsystem] C:\WINDOWS\SYSTEM\SERVICES\MSXMIDI.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)
O9 - Extra button: Antivirus - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_virus2/...d10&ver=4&t=new (http://\"http://www.accesoplugin.com/prom/a_virus2/...d10&ver=4&t=new\") (file missing)
O9 - Extra button: Bromas y chistes - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_bromas2...d10&ver=4&t=new (http://\"http://www.accesoplugin.com/prom/a_bromas2...d10&ver=4&t=new\") (file missing)
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com (http://\"http://register-tesco.qa.business.ntl.com\")
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.scoobidoo.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26bd83c04460bb613d06/...ip/RdxIE601.cab (http://\"http://207.188.7.150/26bd83c04460bb613d06/...ip/RdxIE601.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab (http://\"http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.8.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...de72640af5cb44d (http://\"http://public.windupdates.com/get_file.php...de72640af5cb44d\")
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} (PremiumInternacional Class) - http://www.accesoplugin.com/dialercab/PPre...ternacional.cab (http://\"http://www.accesoplugin.com/dialercab/PPre...ternacional.cab\")
I would fix these next ones too, Not immeditate threats, but they are NOT needed on startup, using up valuable resources
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
After you have fixed the above, close down hijackthis
Open About:buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Then hit exit
Restart your computer back into Normal mode
Do an updated scan with Ad-Aware SE Personal 1.04 (This is the latest)
Check for updates
Do a Full System Scan and remove all critical objects
Restart your computer to finish the cleaning process
Post back with a Fresh hijackthis log
Post by: DrWu on September 12, 2004, 06:46:49 AM
Couldn't find any of the .exe files you asked me to find and remove but I had run various bits of anti trojan/spyware software before I ran the hijack this scan again so maybe they got them.
Did everything you asked else plus CWSHREDDER plus the Lavasoft Trojan destroyer.
Here's the new HiJacKThis log. (everything seems okay so far....!)
Logfile of HijackThis v1.98.2
Scan saved at 12:41:30, on 19/02/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLSTAT.EXE
C:\PROGRAM FILES\BT VOYAGER 105 ADSL MODEM\DSLAGENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\WINDOWS\SYSTEM\HOST32.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.0\STIMGBROWSER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT BROADBAND\HELP\BIN\MPBTN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.Email (http://\"http://www.Email\") Removed/
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O4 - HKLM\..\Run: [AttuneSysTrayNotifier] C:\PROGRAM FILES\AVEO\ATTUNE\BIN\ATTNNOST.EXE
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O7 "EPUSB1:" /M "Stylus C44"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [KPF4] c:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [CRZT32.EXE] C:\WINDOWS\SYSTEM\CRZT32.EXE
O4 - HKLM\..\RunServices: [MFCNA.EXE] C:\WINDOWS\MFCNA.EXE
O4 - HKLM\..\RunServices: [CRKJ32.EXE] C:\WINDOWS\CRKJ32.EXE
O4 - HKLM\..\RunServices: [APIDE.EXE] C:\WINDOWS\SYSTEM\APIDE.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NETZIP SMARTDOWNLOADER] C:\WINDOWS\SYSTEM\npnzdad.exe /t
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Startup: Digimax Viewer 2.0.lnk = C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
O4 - Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0819.DLL
O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAVI32.DLL
O12 - Plugin for .ivr: C:\PROGRA~1\INTERN~1\PLUGINS\NPRVRT32.dll
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com (http://\"http://register-tesco.qa.business.ntl.com\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll\")
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab (http://\"http://player.vivo.com/ie/vvweb.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...ireShowdown.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab\")
O16 - DPF: {2CFB52FD-7CF2-479C-BF65-B27F8A834F31} (SecureSession Class) - http://www.samsungtechwin.com/include/pki/...SecuiTechIE.cab (http://\"http://www.samsungtechwin.com/include/pki/SecuiTechIE.cab\")
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/Mot...tivePreQual.cab (http://\"http://www.sc-server1.bt.com/broadband/MotivePreQual.cab\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
Thanks again
Steve
Post by: DrWu on September 12, 2004, 08:17:08 AM
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> I still get a window appearing saying "preparing plug in" it very quickly installs and then when I check my desktop there's a shortcut to a sex site!
aarrrgghhhh!!!
Post by: Guest on September 12, 2004, 11:27:17 AM
Navigate to the files---Right click on them and Select them
Do this for each one of these files-----Don't Restart your computer yet
Carry on with whatever you can find
C:\WINDOWS\SYSTEM\CRZT32.EXE <--this file
C:\WINDOWS\MFCNA.EXE <--file
C:\WINDOWS\CRKJ32.EXE <--file
C:\WINDOWS\SYSTEM\APIDE.EXE <--file
C:\WINDOWS\SYSTEM\HOST32.EXE <--file
Do another Scan with hijackthis and put a check next these entries and then FIX CHECKED AFTER ALL other windows are closed
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\host32.exe internat.dll,LoadKeyboardProfile <--this is not legitimate
O4 - HKLM\..\RunServices: [CRZT32.EXE] C:\WINDOWS\SYSTEM\CRZT32.EXE
O4 - HKLM\..\RunServices: [MFCNA.EXE] C:\WINDOWS\MFCNA.EXE
O4 - HKLM\..\RunServices: [CRKJ32.EXE] C:\WINDOWS\CRKJ32.EXE
O4 - HKLM\..\RunServices: [APIDE.EXE] C:\WINDOWS\SYSTEM\APIDE.EXE
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
AFTER you have fix checked and closed hijackthis
Open About:Buster and run a scan, do it 2 times when prompted
RESTART your computer and run About:Buster one more time
Post back with a Fresh Hijackthis log and About:buster logs
Post by: guestolo on September 12, 2004, 11:29:05 AM
You can have hijackthis fix it
That was me up above
O9 - Extra button: downloadsoftware - {C8950078-94A4-4C32-BB9C-4666357965AF} - C:\download10\index.htm (file missing)