TheTechGuide Forum

General Category => Tech Clinic => Topic started by: boca1 on March 08, 2005, 06:14:46 AM

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 08, 2005, 06:14:46 AM

Ok... After searching for a few days, I've realised that one of you might be able to help me with my Problem, before I get into trouble at work. I've prepared a Hijack This Log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:32, on 08.03.2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\NavNT\defwatch.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Funk Software\Proxy Host\PHOST32.EXE
C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE
C:\Programme\NavNT\vptray.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\m?hta.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ (http://\"http://windowsupdate.microsoft.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5A678F33-6CA3-6022-83AB-6034E720B4B2} - C:\WINDOWS\System32\tnbavqc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Programme\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/de/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316 (http://\"http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{35410AC9-4E8B-41AF-BD53-B80E1333458A}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7B4E3-63B6-4847-887B-F69210DC1655}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE

Title: Ooops! WebsiteViewer On my Works PC.
Post by: guestolo on March 10, 2005, 01:26:11 AM

It's really tough to say what may be wrong with your log
You appear to be controlling startup entries with MSCONFIG, possibly hiding malicious activity

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {5A678F33-6CA3-6022-83AB-6034E720B4B2} - C:\WINDOWS\System32\tnbavqc.dll

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Next

Go to START>>RUN>>Type in msconfig
Hit OK
Select Normal Startup
Apply and close, restart may not be needed

Post a fresh Hijackthis log

===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad, not including the word quote
In Notepad click FILE>>SAVE AS

Name the file as Export.bat

Quote

dir C:\WINDOWS\system32\m?hta.exe /a h > files.txt
notepad files.txt

Save this file on the desktop
Double click on Export.bat and copy the contents back of the log that appears

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 10, 2005, 05:20:57 AM

Hi guestolo!

Thanks for your help so far. I hope I did everything right.
As you might have noticed, my system is in German. If you need anything translated, let me know.

Here the results so far:

Logfile of HijackThis v1.99.1
Scan saved at 10:53:36, on 10.03.2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\NavNT\defwatch.exe
C:\Programme\Funk Software\Proxy Host\PHOST32.EXE
C:\Programme\NavNT\vptray.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\NavNT\rtvscan.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOKUME~1\Klaus\LOKALE~1\Temp\sa3.tmp.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ (http://\"http://windowsupdate.microsoft.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Programme\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/de/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316 (http://\"http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{35410AC9-4E8B-41AF-BD53-B80E1333458A}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7B4E3-63B6-4847-887B-F69210DC1655}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE


And :

 Datentr„ger in Laufwerk C: ist Windows
 Volumeseriennummer: 38D5-9C68

 Verzeichnis von C:\WINDOWS\system32

18.08.2001  13:00            24.064 mshta.exe
01.02.2005  15:36           413.696 m?hta.exe

 Verzeichnis von C:\WINDOWS\system32

               2 Datei(en)        437.760 Bytes
               0 Verzeichnis(se),    744.185.856 Bytes frei

Title: Ooops! WebsiteViewer On my Works PC.
Post by: guestolo on March 10, 2005, 07:51:20 PM

Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Don't run it yet

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")

Navigate too, and look for and delete this file
C:\WINDOWS\system32\m?hta.exe <--this file

Careful, you may not see the ? mark and it may disguise as a legit file
As you can see in this log
18.08.2001 13:00 24.064 mshta.exe
01.02.2005 15:36 413.696 m?hta.exe

The bad guy is about 413 kb in size and creation date 01.02.2005
Make sure you Right click on the file and left click properties and check out the size and date

Afterwards
Stay in safe mode
Open Windows CleanUp>>START>>All programs>>Cleanup
Click on the CleanUp button, let it finish scanning for files
When it's done
Restart back to Normal mode

Post back a fresh Hijackthis log afterwards

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 11, 2005, 05:14:14 AM

Ok! Followed all Instructions. By the Way: I have to run a scan with Microsoft AntiSpyware everytime i reboot. Because it keeps on warning me that Unclassified.Spyware.41 is trying to install. I hope this doesn't affect what we are doing here.

Here my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:27, on 11.03.2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\NavNT\defwatch.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\NavNT\rtvscan.exe
C:\Programme\Funk Software\Proxy Host\PHOST32.EXE
C:\Programme\NavNT\vptray.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\DOKUME~1\Klaus\LOKALE~1\Temp\sa1.tmp.exe
C:\Programme\Microsoft AntiSpyware\gcasServAlert.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ (http://\"http://windowsupdate.microsoft.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Programme\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/101ef60e7f20c3...RdxIE601_de.cab (http://\"http://software-dl.real.com/101ef60e7f20c376d806/netzip/RdxIE601_de.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/de/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316 (http://\"http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{35410AC9-4E8B-41AF-BD53-B80E1333458A}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7B4E3-63B6-4847-887B-F69210DC1655}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE

Title: Ooops! WebsiteViewer On my Works PC.
Post by: guestolo on March 12, 2005, 03:08:01 AM

I'm really curious if you actually installed Window CleanUp! and restarted into Safe mode and ran it

Can you do me a favor please
Open Windows CleanUp!
Click on Oh My God
Let me know product number

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 12, 2005, 03:17:53 AM

I did install it and run it in safe mode. What do you mean by : Click on Oh My God?
I can click on: Clean Up!, Close, Options, Register, Help.

Title: Ooops! WebsiteViewer On my Works PC.
Post by: guestolo on March 12, 2005, 03:21:50 AM

Don't worry about the above reply if you installed Windows CleanUp!

Reboot directly into safe mode and run Windows CleanUp on more time

Post back a fresh Hijackthis log afterwards

EDIT>>Do you know what this is related too
C:\DOKUME~1\Klaus\LOKALE~1\Temp\sa3.tmp.exe

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 12, 2005, 03:34:09 AM

Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 09:32:01, on 12.03.2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\NavNT\defwatch.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\NavNT\rtvscan.exe
C:\Programme\Funk Software\Proxy Host\PHOST32.EXE
C:\Programme\NavNT\vptray.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ (http://\"http://windowsupdate.microsoft.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Programme\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/101ef60e7f20c3...RdxIE601_de.cab (http://\"http://software-dl.real.com/101ef60e7f20c376d806/netzip/RdxIE601_de.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.apple.com/pthalo/de/win/QuickTimeFullInstaller.exe\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316 (http://\"http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{35410AC9-4E8B-41AF-BD53-B80E1333458A}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7B4E3-63B6-4847-887B-F69210DC1655}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE

Title: Ooops! WebsiteViewer On my Works PC.
Post by: guestolo on March 12, 2005, 03:39:05 AM

Do another scan with Hijackthis and put a check next to these entries:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/101ef60e7f20c3...RdxIE601_de.cab (http://\"http://software-dl.real.com/101ef60e7f20c3...RdxIE601_de.cab\")
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe (http://\"http://appldnld.m7z.net/qtinstall.info.app...llInstaller.exe\")

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

How's everything running?

Why so far behind on Window Updates? this is important on keeping your system secure

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 12, 2005, 03:52:40 AM

Unfortunately still the same. I did exactly as you said. When I start up a shortcut ´'sex' creates itself on my desktop. Then a pop-up says: Please wait while we prepare plugin. A Sex-Website opens.

Title: Ooops! WebsiteViewer On my Works PC.
Post by: guestolo on March 12, 2005, 04:56:06 PM

Can you try a couple things for me please

Please download Remv3.zip and UNZIP the folder inside to Desktop
[attachment=60:attachment]
Ensure you unzip the contents, this won't work if left within the zipped archive

Can you
Download and save
HSFIX.zip (http://\"http://www.atribune.org/downloads/HSFix.zip\")
Unzip the contents of HSFix.zip and an HSFix directory will be created

Please print this out or save to a Notepad file on the desktop

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Important>>Restart your computer into safe mode

Navigate to the HSFix directory and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

Open the Remv3 folder you unzipped earlier and Double click on Remv3.bat
Let it finish, it will produce a log, we'll need this later


Restart back to Normal mode

Can I see a fresh Hijackthis log please
Let me see it before you attempt too close any running processes if you have in the past, thanks

Also post this log
C:\log.txt <--this log

And this one
C:\hslog.txt <--this log

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 14, 2005, 07:55:11 AM

Sorry about the delay. I am only at this machine during working hours.
Here the logs:

Logfile of HijackThis v1.99.1
Scan saved at 13:43:13, on 14.03.2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\NavNT\defwatch.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\NavNT\rtvscan.exe
C:\Programme\Funk Software\Proxy Host\PHOST32.EXE
C:\Programme\NavNT\vptray.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\WebSiteViewer\127035.dlr
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ (http://\"http://windowsupdate.microsoft.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Programme\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316 (http://\"http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{35410AC9-4E8B-41AF-BD53-B80E1333458A}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7B4E3-63B6-4847-887B-F69210DC1655}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE


AND:



Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
 
 
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
 Datentr„ger in Laufwerk C: ist Windows
 Volumeseriennummer: 38D5-9C68

 Verzeichnis von C:\WINDOWS\system32

msi.dll
Finished


AND:

 
Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
WebSiteViewer
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 14, 2005, 10:38:03 AM

By the Way: Does this eScan log help you in any way?

File C:\WINDOWS\ibs.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\shch.exe infected by "Backdoor.Win32.Webdor.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cyzuut.exe infected by "not-a-virus:Porn-Downloader.Win32.TibSystems" Virus. Action Taken: No Action Taken.

Title: Ooops! WebsiteViewer On my Works PC.
Post by: guestolo on March 14, 2005, 08:24:48 PM

Let's try the following
This is not completely necessary to have this reg fix, but let's run it just in case
HSFix should remove this entry
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad, not including the word quote
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet

 

Quote

REGEDIT4

[-HKEY_CURRENT_USER\Software\WebSiteViewer]

Restart into safe mode

Find and delete these files or folders

C:\WINDOWS\ibs.exe <-file
C:\WINDOWS\shch.exe <-file
C:\WINDOWS\System32\cyzuut.exe <-file
C:\misb.exe <--file, if found

C:\Programme\WebSiteViewer <--folder
Also look for the next folder and delete it if found
C:\WINDOWS\System32\Cache <--this folder, exact location If found, delete the Cache folder

Look for any of these files and delete them
you may want to do a search for the bolded files too
C:\Documents and Settings\YOUR USER\desktop\sexcam.lnk <--file
C:\Documents and Settings\YOUR USER\start menu\sexcam.lnk <--file

Also check other user accounts including All Users account

Run Windows CleanUp! again>>Don't log off or restart after it is finished running

Double click on Fix.reg and allow to merge to the registry

Run HSFix.bat again

Restart back to Normal mode

Post back a fresh Hijackthis log

Title: Ooops! WebsiteViewer On my Works PC.
Post by: boca1 on March 15, 2005, 05:46:16 AM

Ok...here we go! This is the first time that the Pc started without abnormalities. Here the Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:40:43, on 15.03.2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\NavNT\defwatch.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE
C:\Programme\Funk Software\Proxy Host\PHOST32.EXE
C:\Programme\NavNT\vptray.exe
C:\Programme\Microsoft AntiSpyware\gcasServ.exe
C:\Programme\QuickTime\qttask.exe
C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programme\FRITZ!DSL\Awatch.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\Programme\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG04.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/ (http://\"http://www.google.de/\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ (http://\"http://windowsupdate.microsoft.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ProxyHostTrayIcon] "C:\Programme\Funk Software\Proxy Host\PHOST32.EXE" -s
O4 - HKLM\..\Run: [vptray] C:\Programme\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programme\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [AWatch] C:\Programme\FRITZ!DSL\Awatch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe"  -osboot
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O8 - Extra context menu item: &Google Search - res://C:\Programme\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://C:\Programme\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://C:\Programme\Google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316 (http://\"http://h30043.www3.hp.com/aio/de/check/qdiagh.cab?316\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{35410AC9-4E8B-41AF-BD53-B80E1333458A}: NameServer = 213.148.129.10,213.148.130.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7B4E3-63B6-4847-887B-F69210DC1655}: NameServer = 192.168.122.252,192.168.122.253
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Programme\NavNT\defwatch.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Programme\Gemeinsame Dateien\AVM\de_serv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Programme\NavNT\rtvscan.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Programme\Funk Software\Proxy Host\PH32SVC.EXE

Title: Ooops! WebsiteViewer On my Works PC.
Post by: Guest on March 15, 2005, 06:26:32 AM

I have the same program and I also play mmorpg's. Unfortunately it really slows my games down. I turn it off wait about 30 seconds and BAM it opens itself back up again. Could anyone help me out?