Post by: Big Chudeezy on December 28, 2004, 02:10:07 AM
thanks for helping me out with my problem.
special thanks to Guestolo.
below is the log.
Logfile of HijackThis v1.99.0
Scan saved at 9:56:03 PM, on 12/27/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ntservice.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\skeys.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\3DLman.exe
C:\WINDOWS\loadqm.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Winamp\winampa.exe
C:\windows\180solutions\saap.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\System32\?hkntfs.exe
C:\Documents and Settings\Grace\Application Data\nrno.exe
C:\Program Files\MSAC-FD1\MSSTAT.EXE
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Install and set up stuff\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html (http://\"http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch (http://\"http://my.netzero.net/s/search?r=minisearch\")
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,SKEYS /I
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\All Users\Application Data\Setup\Setup.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6FF5472E-E243-0893-8552-66550C807538} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (disabled by BHODemon)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E67D0068-EFA9-C07F-DF8C-E4ABA80500E1} - C:\WINDOWS\SYSTEM32\lsxs.dll (disabled by BHODemon)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [3Dlabs Taskbar Display Manager] C:\WINDOWS\System32\3DLman.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [saap] c:\windows\180solutions\saap.exe
O4 - HKLM\..\Run: [qjch] C:\WINDOWS\qjch.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Jfnwp] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [Eota] C:\Documents and Settings\Grace\Application Data\nrno.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSSTAT.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .hpb: C:\Program Files\Internet Explorer\PLUGINS\nphpipb.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab (http://\"http://player.vivo.com/ie/vvweb.cab\")
O16 - DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB} (Street Technologies ActiveX Control Object) - http://streams.learn2.com/Local/plugins/Pl...eetnoagent7.cab (http://\"http://streams.learn2.com/Local/plugins/Plugin5.0.0170/streetnoagent7.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006 (http://\"http://public.windupdates.com/get_file.php?bt=ie&p=714b9e99bb1ec51fadc828f5983e23109b906c2b320d9f1b39ed54699be7e97f4caf42694383070009646062296ff92e68cfba8c:eb8a1fb09d00c5943edceabcca450006\")
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} - http://Email (http://\"http://Email\") Removedea.com/downloads/games/common/b...trap/iegils.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab (http://\"http://stream10k.redhotnetworks.com/cabs/videox.cab\")
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowse...5.30/Hiwire.cab (http://\"http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab\")
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Ctp Class) - http://www.americangreetings.com/create/In...stall/AxCtp.cab (http://\"http://www.americangreetings.com/create/Install/AxCtp.cab\")
O16 - DPF: {4D9DF40A-AB69-11D4-893B-CA6A923DDD6E} - http://209.25.166.114/setup/install.cab (http://\"http://209.25.166.114/setup/install.cab\")
O16 - DPF: {8869786C-8E72-45DC-911D-AB3416AC1DF1} - http://www6.buttonware.net/canary_3.cab (http://\"http://www6.buttonware.net/canary_3.cab\")
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab (http://\"http://toolbar.google.com/data/GoogleActivate.cab\")
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://ftp.hp.com/pub/automatic/player/isetup.cab (http://\"http://ftp.hp.com/pub/automatic/player/isetup.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/...ymmapi_0727.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll\")
O16 - DPF: {A5891628-B7A7-470D-B181-FA43C75A734B} - file://C:\WINDOWS\wdlall.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab\")
O16 - DPF: {E6A86FF2-AE57-11D3-B1F5-0010833427C9} - http://hpprintit.com/hpipb/pbsetup.cab (http://\"http://hpprintit.com/hpipb/pbsetup.cab\")
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab (http://\"http://chat.msn.com/bin/msnchat45.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{441E8E4E-430E-4786-9343-3146D8189DCA}: NameServer = 64.136.20.121 64.136.28.121
O23 - Service: Application - Unknown - C:\WINDOWS\system32\ntservice.exe
O23 - Service: DefWatch - Unknown - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client - Unknown - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Registry Service - Unknown - C:\WINDOWS\system32\regsvc.exe
O23 - Service: SerialKeys - Unknown - C:\WINDOWS\system32\skeys.exe
O23 - Service: Print Spooler - Unknown - C:\WINDOWS\system32\spoolsv.exe
O23 - Service: Windows Management Instrumentation - Unknown - C:\WINDOWS\System32\WBEM\WinMgmt.exe
O23 - Service: WMDM PMSP Service - Unknown - C:\WINDOWS\System32\mspmspsv.exe
Post by: guestolo on December 28, 2004, 03:32:25 AM
LSP fix, we may not need this, but we have it just in case you may lose Internet connection
I can't see this happening, but we have a tool to fix it if it does happen http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
Are you running the latest version of Ad-Aware?
If not
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version
If you don't have this verision,install this one
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
Open Hijackthis>>Open Misc tools>>Open Process Manager
Kill these processes
C:\windows\180solutions\saap.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\System32\?hkntfs.exe
C:\Documents and Settings\Grace\Application Data\nrno.exe
Please print the rest of this out or save it to a Notepad file on the desktop for easy access, I will need you to Restart into safe mode and stay disconnected for Part of this
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html (http://\"http://rd.yahoo.com/customize/ymsgr/defaul...rch/search.html\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php (http://\"http://213.159.117.134/index.php\")
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\WINDOWS\All Users\Application Data\Setup\Setup.dll (disabled by BHODemon)
O2 - BHO: (no name) - {6FF5472E-E243-0893-8552-66550C807538} - (no file)
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod.dll (disabled by BHODemon)
O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll (disabled by BHODemon)
O2 - BHO: (no name) - {E67D0068-EFA9-C07F-DF8C-E4ABA80500E1} - C:\WINDOWS\SYSTEM32\lsxs.dll (disabled by BHODemon)
O4 - HKLM\..\Run: [Microsoft Netview] gesfm32.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [saap] c:\windows\180solutions\saap.exe
O4 - HKLM\..\Run: [qjch] C:\WINDOWS\qjch.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM\..\RunServices: [Microsoft Netview] gesfm32.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Jfnwp] C:\WINDOWS\System32\?hkntfs.exe
O4 - HKCU\..\Run: [Eota] C:\Documents and Settings\Grace\Application Data\nrno.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 209.8.20.130
O15 - Trusted IP range: 209.8.20.130 (HKLM)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006 (http://\"http://public.windupdates.com/get_file.php...edceabcca450006\")
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.redhotnetworks.com/cabs/videox.cab (http://\"http://stream10k.redhotnetworks.com/cabs/videox.cab\")
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowse...5.30/Hiwire.cab (http://\"http://content.hiwirenetworks.net/inbrowse...5.30/Hiwire.cab\")
O16 - DPF: {4D9DF40A-AB69-11D4-893B-CA6A923DDD6E} - http://209.25.166.114/setup/install.cab (http://\"http://209.25.166.114/setup/install.cab\")
O16 - DPF: {8869786C-8E72-45DC-911D-AB3416AC1DF1} - http://www6.buttonware.net/canary_3.cab (http://\"http://www6.buttonware.net/canary_3.cab\")
16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Go to START>>RUN>>Type in regedit and hit OK
Expand(+) each of these in the registry
+HKEY_CURRENT_USER
+Software
+Microsoft
+Internet Explorer
+Desktop
+Components
Still on the left hand side locate and delete the subkey:
0
# Close Registry Editor.
RESTART your computer into Safe Mode
You can do this by repeatedly tapping the F8 key on the keyboard when the system is booting up
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Access your Add/Remove Programs and Remove if found
180solutions
NCase
DealHelper
Web Offer
Windows AdControl
Stay in safe mode
Find and delete these files or folders if they exist
C:\WINDOWS\bxxs5.dll <--file
C:\WINDOWS\All Users\Application Data\Setup\Setup.dll <--file
C:\WINDOWS\questmod.dll <--file
C:\WINDOWS\dealhlpr.dll <--file
C:\WINDOWS\SYSTEM32\lsxs.dll <--file
C:\WINDOWS\qjch.exe
C:\Documents and Settings\Grace\Application Data\nrno.exe
C:\WINDOWS\System32\?hkntfs.exe <--file, exact name, don't delete anything because it looks similiar
gesfm32.exe <--do a search for this one
C:\PROGRA~1\Web Offer <--folder
C:\Program Files\Windows AdControl <--folder
c:\windows\180solutions <--folder
Do a search for the bolded files and delete them if they exist
one desktop.html may also be in your Web folder
• %Windows%\desktop.html
• %Windows%\SSICO.ICO
• %Root%\Documents and Settings\<current user>\Desktop\! Protect Your Data.url
• %Root%\Documents and Settings\<current user>\Favorites\! Smart Security.url
• %Root%\Documents and Settings\<current user>\Recent\! Smart Security.url
• %Root%\Documents and Settings\<current user>\Start Menu\! Secure Yourself.url
Navigate to your Temp folders and delete the Whole contents, or whatever you can, but DON'T delete the Temp directories themselves
# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Stay in safe mode
Open Ad-Aware
Perform a Full system scan--Before scanning uncheck Search for Negligible Risk Entries
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART back into Normal Mode
If you lose Internet connection, I don't forsee this happening, but just in case
Open LSP fix and click the Finish button and Restart your computer
If still no joy
Open LSP fix and let me know what is in the KEEP side and the REMOVE side
I'm not trying to worry you, I just want you to have this for your information
This will probably not be needed
I also recommend that you do an Online Virus scan at Trend Micro's Housecall
Set to Autoclean
http://housecall.trendmicro.com/ (http://\"http://housecall.trendmicro.com/\")
Post back a fresh Hijackthis log afterwards
Could you also let me know who your Internet Provider is
We may not get it all this time, but we should rid you of Smart-Security and other Malware
We'll should be able to get it all next time
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />