Post by: Daniel Eyster on June 21, 2005, 12:46:39 PM
Post by: Daniel Eyster on June 21, 2005, 12:50:51 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:49:19 PM, on 6/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\OpenOffice.org1.1.2\program\soffice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\zstatus.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Daniel's\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sprint.earthlink.net/ (http://\"http://start.sprint.earthlink.net/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: OpenOffice.org 1.1.2.lnk = C:\Program Files\OpenOffice.org1.1.2\program\quickstart.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Sprint DSL virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Any help is greatly appreciated.
Post by: Noblec on June 21, 2005, 06:40:15 PM
Help please!!
Post by: Christopher on June 25, 2005, 07:19:54 AM
Has anyone came up with a solution? Please e-mail me at elitephtgraphyEmail Removed if you find a solution to deleting it.
I can not use ctrl + alt + delete either. Thanks.
Post by: Exidez on June 25, 2005, 10:09:37 AM
to get to regedit type regedit.exe
if you just type regedit it will load the worms regedit.com file!
i dont know how to get rid of it though
it keeps comming up!
Post by: Guest_Tim_* on June 26, 2005, 08:41:30 AM
Next question... How to get TaskMgr.Exe back.
If you recently installed the service packs, you should have a folder on your system titled C:\WINDOWS\ServicePackFiles\i386 that will have fresh copies of the infected EXE files contained within.
Just copy the TaskMgr.EXE etc., etc., etc. files to their respective directory locations and viola... Ctrl+Alt+Del works again.
Post by: Guest on June 26, 2005, 10:08:04 PM
Post by: guestolo on June 26, 2005, 10:50:20 PM
All others start your own post please
and post your own Hijackthis log
Follow these instructions (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")
Sorry for the delay Daniel Eyster
One requirement I ask, if your going to post a hijackthis log
Can you please register to the forum
It's a free and simple process
After you have done that
Can you come back to this thread and post a fresh hijackthis log
Additionally
Open Hijackthis>>Open Misc tools section>>>Open Uninstall Manager
Click the SAVE LIST button
Save the list to desktop
Copy and paste back the whole contents of this list too
Thanks
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: Bighead6365 on June 26, 2005, 11:29:21 PM
Boot Computer in Safe Mode(you will find you can open task manager)
click Start/Run and type services.msc and click OK. Look for the service:
dlbtcoms.exe
Doubleclick it, click Stop if it's running, and change the Startup type to Disabled.
this should allow you to open task manager but I still havn't found a way to remove the ping.com, and all that.
Post by: guestolo on June 26, 2005, 11:51:09 PM
Any others with similiar problems
Please start your own post and include a Hijackthis log
Please, Read this (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")