Post by: dillinga on August 21, 2005, 09:59:33 PM
best of luck
/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> Alex[/color][/font]
Logfile of HijackThis v1.99.1
Scan saved at 03:45:48, on 22/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\cfy.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\ziko\zikom.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\PROGRA~1\ezula\mmod.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\COMMON~1\ziko\zikoa.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Home\LOCALS~1\Temp\Rar$EX01.453\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar (http://\"http://www.searchforit.com/searchbar\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar (http://\"http://www.searchforit.com/searchbar\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/broadband (http://\"http://www.ntlworld.com/broadband\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.co.uk (http://\"http://www.freeserve.co.uk\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar (http://\"http://www.searchforit.com/searchbar\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar (http://\"http://www.searchforit.com/searchbar\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar (http://\"http://www.searchforit.com/searchbar\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar (http://\"http://www.searchforit.com/searchbar\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ntlworld.com/start (http://\"http://www.ntlworld.com/start\")
F2 - REG:system.ini: Shell=Explorer.exe vajcmwjabbgh.exe
F3 - REG:win.ini: run=xhqc.exe, icbiqsc.exe, fnnwejjoami.exe, twhjx.exe, vngfpodyey.exe, kjlmr.exe, firvf.exe, gloxsuuy.exe, lqkq.exe, tdmhe.exe, dijhfcnkbcd.exe, horlqst.exe, vhurs.exe, iqbfkxp.exe, pleuliyoob.exe, itesrx.exe, gjcufa.exe, avptu.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zsneswip42] vajcmwjabbgh.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Zsneswip42] vajcmwjabbgh.exe
O4 - HKLM\..\RunServices: [] vajcmwjabbgh.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [cfy] C:\WINDOWS\cfy.exe
O4 - HKCU\..\Run: [ziko] C:\PROGRA~1\COMMON~1\ziko\zikom.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.co.uk
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...od/install.html (http://\"https://components.viewpoint.com/MTSInstall...od/install.html\")
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab (http://\"http://www.easports.com/downloads/games/common/ieell.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109813264829 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109813264829\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab\")
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab (http://\"http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab\")
Post by: guestolo on August 21, 2005, 10:15:18 PM
Can you do the following for me please
The first step in helping you would be to install Service Pack 1a
or else you are probably just going to get reinfected
Go to the below link
http://www.microsoft.com/windowsxp/downloa...p1/express.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/express.mspx\")
Download and install SP1a
Restart the computer when prompted
Don't install Service pack 2 yet, we will do this when you are clear of all malware
I can't stress enough how important it is too get these updates
Next:
After you have done the above
From my signature below, please visit at least one of the online virus scanners
Panda's
TrendMicro
Kaspersky's
You can run 2 or 3 if you wish
But let me see the reports from any you have run
Set to Autoclean when possible, and Save the report when done
==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation
In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Then click Start Scan
This could take some time as it will scan your drive
Once the Scan is Complete
1. Reboot back to Normal mode
2. Go to the WinPFind folder
3. Locate WinPFind.txt in the WinPfind folder
Post the results of the WindPFind.txt
I need too see a couple more logs too
Redownload Hijackthis from my signature below
Save it too a permanent folder on your drive
Run another scan with hijackthis from this new location and post a fresh log
Also
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save the list to your desktop
Copy and paste back here the contents of this log
Don't forget to include the Report from any online virus scanner that you run
Best of luck to you Alex, try and to what you can from the above
We'll get the rest later
Post by: dillinga on August 22, 2005, 04:51:55 AM
/laugh.gif\' class=\'bbc_emoticon\' alt=\':lol:\' /> /unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> [/color][/font]