Author Topic: Highjack this (Read 3514 times)

jen3ca · « **on:** April 25, 2005, 04:40:07 PM »

hey
ok i registered now and i also have downloaded the program you told me to (microsoft anti spyware beta) here is a new high jack this log

Logfile of HijackThis v1.98.2
Scan saved at 5:33:58 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\wpwin9.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\My Room\My Documents\computer security\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ww.searchforit.com
O1 - Hosts: 0.1 slotchbar.com
O1 - Hosts: 127.0..0.1 stx12.sextracker.com
O1 - Hosts: 127.0.stx14.sextracker.com
O1 - Hosts: ww.searchforit.com
O1 - Hosts: 0.1 slotchbar.com
O1 - Hosts: w.zsearchtoolbar.com
O1 - Hosts: 127.0.0.eroptimizer.com
O1 - Hosts: 127.0.0.mizer.com
O1 - Hosts: w.zsearchtoolbar.com
O1 - Hosts: 127.
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: ay.com
O1 - Hosts: 127.0.w.xadso.offeroptimizer.com
O1 - Hosts: ay.com
O1 - Hosts: 127.0.0
O1 - Hosts: oday.com
O1 - Hosts: oday.com
O1 - Hosts: today.com
O1 - Hosts: today.com
O1 - Hosts: 127.0.0.
O1 - Hosts: com
O1 - Hosts: k-today.com
O1 - Hosts: com
O1 - Hosts: k-today.com
O1 - Hosts: 127
O1 - Hosts: ar.com
O1 - Hosts: .look-today.com
O1 - Hosts: ar.com
O1 - Hosts: .look-today.com
O1 - Hosts: 127
O1 - Hosts: olbar.com
O1 - Hosts: 127.find.com
O1 - Hosts: 127.om
O1 - Hosts: olbar.com
O1 - Hosts: 127.0
O1 - Hosts: htoolbar.com
O1 - Hosts: htoolbar.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0.
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: 127.
O1 - Hosts: m
O1 - Hosts: u.com
O1 - Hosts: m
O1 - Hosts: u.com
O1 - Hosts: .com
O1 - Hosts: toyou.com
O1 - Hosts: .com
O1 - Hosts: toyou.com
O1 - Hosts: enu.com
O1 - Hosts: inkstoyou.com
O1 - Hosts: enu.com
O1 - Hosts: inkstoyou.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: 127.0hinkingmedia.net
O1 - Hosts: 127.08.org
O1 - Hosts: nc.whenu.com
O1 - Hosts: 127.0.0.
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 127.
O1 - Hosts: er.com
O1 - Hosts: 127.0.ait.com
O1 - Hosts: 127.0.com
O1 - Hosts: om
O1 - Hosts: om
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Fonts\kbvb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10

i have also been having a problem with my computer turning it self off. my dads girlfreind has this freind whos computer got high jacked and the guy sent rose something to this computer and many others. her freind had the same problem with her computer as i am having with mine. she told me the name of the virus that she had was backdoor.b.asl.dll would you please help me figure out how to fix my computer befor it just shuts off and doesnt turn back on (which happened to my brothers computer a while ago)

guestolo · « **Reply #1 on:** April 25, 2005, 06:09:33 PM »

Unfortunately, I can't help you with this log as you posted one from an old version of Hijackthis
The newer version supplies more information and has more functionality

Can you redownload hijackthis from my signature below and save it to your
C:\Documents and Settings\My Room\My Documents\computer security\highjack this folder
Allow to overwrite your old version

Post back with a log from the newer version

Oh, by the way

You said this

Quote

ok i registered now and i also have downloaded the program you told me to (microsoft anti spyware beta) here is a new high jack this log

I really have no idea what your talking about
Have I talked to you before??

Please, when posting back, make all responses to this thread, it's far less confusing that way and easier to follow along

jen3ca · « **Reply #2 on:** April 25, 2005, 08:13:32 PM »

here is the log

Logfile of HijackThis v1.99.1
Scan saved at 8:59:01 PM, on 4/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\My Room\My Documents\computer security\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ww.searchforit.com
O1 - Hosts: 0.1 slotchbar.com
O1 - Hosts: 127.0..0.1 stx12.sextracker.com
O1 - Hosts: 127.0.stx14.sextracker.com
O1 - Hosts: ww.searchforit.com
O1 - Hosts: 0.1 slotchbar.com
O1 - Hosts: w.zsearchtoolbar.com
O1 - Hosts: 127.0.0.eroptimizer.com
O1 - Hosts: 127.0.0.mizer.com
O1 - Hosts: w.zsearchtoolbar.com
O1 - Hosts: 127.
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: ay.com
O1 - Hosts: 127.0.w.xadso.offeroptimizer.com
O1 - Hosts: ay.com
O1 - Hosts: 127.0.0
O1 - Hosts: oday.com
O1 - Hosts: oday.com
O1 - Hosts: today.com
O1 - Hosts: today.com
O1 - Hosts: 127.0.0.
O1 - Hosts: com
O1 - Hosts: k-today.com
O1 - Hosts: com
O1 - Hosts: k-today.com
O1 - Hosts: 127
O1 - Hosts: ar.com
O1 - Hosts: .look-today.com
O1 - Hosts: ar.com
O1 - Hosts: .look-today.com
O1 - Hosts: 127
O1 - Hosts: olbar.com
O1 - Hosts: 127.find.com
O1 - Hosts: 127.om
O1 - Hosts: olbar.com
O1 - Hosts: 127.0
O1 - Hosts: htoolbar.com
O1 - Hosts: htoolbar.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0.
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: 127.
O1 - Hosts: m
O1 - Hosts: u.com
O1 - Hosts: m
O1 - Hosts: u.com
O1 - Hosts: .com
O1 - Hosts: toyou.com
O1 - Hosts: .com
O1 - Hosts: toyou.com
O1 - Hosts: enu.com
O1 - Hosts: inkstoyou.com
O1 - Hosts: enu.com
O1 - Hosts: inkstoyou.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: 127.0hinkingmedia.net
O1 - Hosts: 127.08.org
O1 - Hosts: nc.whenu.com
O1 - Hosts: 127.0.0.
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 127.
O1 - Hosts: er.com
O1 - Hosts: 127.0.ait.com
O1 - Hosts: 127.0.com
O1 - Hosts: om
O1 - Hosts: om
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Fonts\kbvb.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O20 - Winlogon Notify: kbvb - C:\WINDOWS\Fonts\kbvb.dll

guestolo · « **Reply #3 on:** April 25, 2005, 09:22:49 PM »

Let's try the following Jen

I need you to download a few tools

==Download Process Explore and Unzip to a folder

==Download the Pocket Killbox
UNZIP it to a folder of your choice

==Download fixMs.zip and Unzip it to desktop
So you now have fixMs.reg on the desktop
[attachment=170:attachment]

Could you copy and paste the rest of these instructions too a Notepad file and save it too desktop
Follow the instructions closely
Disconnect from the Internet>>Close out all browser windows, including this one

Open "Procexp.exe "
In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.
Once you see this screen click on each instance of kbvb.dll once and then click the kill button.

After you have killed all of the kbvb.dll's under winlogon click ok.

Next double click on explorer.exe and again click once on each instance of kbvb.dll then click the kill button. Once you have done that click ok again.

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ww.searchforit.com
O1 - Hosts: 0.1 slotchbar.com
O1 - Hosts: 127.0..0.1 stx12.sextracker.com
O1 - Hosts: 127.0.stx14.sextracker.com
O1 - Hosts: ww.searchforit.com
O1 - Hosts: 0.1 slotchbar.com
O1 - Hosts: w.zsearchtoolbar.com
O1 - Hosts: 127.0.0.eroptimizer.com
O1 - Hosts: 127.0.0.mizer.com
O1 - Hosts: w.zsearchtoolbar.com
O1 - Hosts: 127.
O1 - Hosts: om
O1 - Hosts: om
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: ay.com
O1 - Hosts: 127.0.w.xadso.offeroptimizer.com
O1 - Hosts: ay.com
O1 - Hosts: 127.0.0
O1 - Hosts: oday.com
O1 - Hosts: oday.com
O1 - Hosts: today.com
O1 - Hosts: today.com
O1 - Hosts: 127.0.0.
O1 - Hosts: com
O1 - Hosts: k-today.com
O1 - Hosts: com
O1 - Hosts: k-today.com
O1 - Hosts: 127
O1 - Hosts: ar.com
O1 - Hosts: .look-today.com
O1 - Hosts: ar.com
O1 - Hosts: .look-today.com
O1 - Hosts: 127
O1 - Hosts: olbar.com
O1 - Hosts: 127.find.com
O1 - Hosts: 127.om
O1 - Hosts: olbar.com
O1 - Hosts: 127.0
O1 - Hosts: htoolbar.com
O1 - Hosts: htoolbar.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: earchtoolbar.com
O1 - Hosts: 127.0.
O1 - Hosts: 127.0.0.
O1 - Hosts: m
O1 - Hosts: m
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: 127.
O1 - Hosts: m
O1 - Hosts: u.com
O1 - Hosts: m
O1 - Hosts: u.com
O1 - Hosts: .com
O1 - Hosts: toyou.com
O1 - Hosts: .com
O1 - Hosts: toyou.com
O1 - Hosts: enu.com
O1 - Hosts: inkstoyou.com
O1 - Hosts: enu.com
O1 - Hosts: inkstoyou.com
O1 - Hosts: nc.whenu.com
O1 - Hosts: 127.0hinkingmedia.net
O1 - Hosts: 127.08.org
O1 - Hosts: nc.whenu.com
O1 - Hosts: 127.0.0.
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: w.zinc.whenu.com
O1 - Hosts: 127.
O1 - Hosts: er.com
O1 - Hosts: 127.0.ait.com
O1 - Hosts: 127.0.com
O1 - Hosts: om
O1 - Hosts: om

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\Fonts\kbvb.dll

O20 - Winlogon Notify: kbvb - C:\WINDOWS\Fonts\kbvb.dll

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on fixMs.reg you unzipped earlier and allow to merge to the registry at the prompt

Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\Fonts\kbvb.dll

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click YES
or Restart the computer anyways

Back in Windows post back with a fresh hijackthis log

jen3ca · « **Reply #4 on:** April 26, 2005, 07:39:45 AM »

there were no instances of kbvb.dll in winlogon or i explore

guestolo · « **Reply #5 on:** April 26, 2005, 07:52:41 AM »

The file name may of changed
I'm on my way to work soon, try not too Restart your computer
But post back with a fresh Hijackthis log

Oh, and by the way
You said this

Quote

there were no instances of kbvb.dll in winlogon or
i explore

I hope the iexplore was not there, that would mean you had a Internet Explorer window open, and I mentioned to disconnect from the Internet and close ALL browser windows

I said to double click on explorer.exe

jen3ca · « **Reply #6 on:** April 26, 2005, 08:03:35 AM »

Logfile of HijackThis v1.99.1
Scan saved at 8:57:52 AM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\My Room\My Documents\computer security\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CS2\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O20 - Winlogon Notify: kbvb - C:\WINDOWS\Fonts\kbvb.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

here is the new pot there was no i explorer i meant there was no instance of kbvb.dll in explorer.exe

jen3ca · « **Reply #7 on:** April 26, 2005, 08:04:45 AM »

my computer turns istelf off all the time so i will not restart it but if it does restart it aint my fault

guestolo · « **Reply #8 on:** April 26, 2005, 08:07:44 AM »

Log off any other users on the computer, if this applies

With all other windows closed, can you do another scan with hijackthis and fix checked this entry

O20 - Winlogon Notify: kbvb - C:\WINDOWS\Fonts\kbvb.dll (file missing)

Restart your computer and post a fresh hijackthis log

Let me know how everythings running

jen3ca · « **Reply #9 on:** April 26, 2005, 08:16:28 AM »

Logfile of HijackThis v1.99.1
Scan saved at 9:08:30 AM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\My Room\My Documents\computer security\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

here is a new log
my computer is running somewhat slow and it is still turning itself off

guestolo · « **Reply #10 on:** April 26, 2005, 08:28:26 AM »

The log looks clean
So it may not be viral related anymore, It doesn't appear that you have this enabled, but take a look anyways

Is the computer just shutting down or restaring?

Go into the control panel>>System Icon>>Open the Advanced tab>>
Under the Startup and recovery click Settings>>
Uncheck Automatically restart if checked
OK your way out
May give some incite to why it's restarting

When was the last time you did a Disk Defrag on the computer and cleaned out all your temp folders?
Is the inside of the computer clean, can you look at the back of the computer
Does the fan look like it has much crud around it, I'm just checking

You may want to try this too
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract
Temporarily disable Norton's Autoprotect
In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and paste it back here in your reply

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

If your worried about mwav not finishing the scan because of shutting down problems
Try restarting into safe mode and then run the scan
Save the log to a notepad file and then reboot to normal mode and post back a fresh
Hijackthis log and the log from Mwav scan

jen3ca · « **Reply #11 on:** April 26, 2005, 08:38:27 AM »

it was set to restart so i unchecked and the fan at the back of the computer is clean
it just shutting itself completly down it is not restarting itself i have to turn the power bar off for a few minutes before being able to turn the computer back on as well
i will download the virus scanner now

Guest · « **Reply #12 on:** April 26, 2005, 08:57:48 AM »

i have defragmented the computer and i am still downloading the virus scannner. I have tried using my computer in the safe mood yesterday and it still shut down. as soon as i have done the virus scan and have gotten a new highjack this log i will post them

jen3ca · « **Reply #13 on:** April 26, 2005, 10:50:50 AM »

my computer wont stay on long enough for the download to complete

guestolo · « **Reply #14 on:** April 26, 2005, 02:33:19 PM »

Can you download it from another pc and transfer to your computer
It will have to be burnt to a CD as of the size or if you have a USB thumbdrive
that would be great

Is it only shutting down while your Online?

jen3ca · « **Reply #15 on:** April 26, 2005, 04:36:58 PM »

no i cannot use a diffrent computer i have no access to one it turns off wether it is connected to the internet or not i also just realized the fan is not plugged in at all and it use to be i cannot tell where abouts the fan should be plugged in because it does not look like it could plug into anywhere

guestolo · « **Reply #16 on:** April 26, 2005, 04:57:54 PM »

If your talking about the fan in the computer
I would refrain from using the computer
Your computer is shutting down from overheating

If your not confident with getting inside the computer
Take it in and get it done
EDIT>>Or have someone your confident with poke around inside the computer to save some bucks
If you haven't done any tickering in the back of the computer lately I would have to guess that the fan siezed or possibley PSU is going altogether

jen3ca · « **Reply #17 on:** April 26, 2005, 06:36:52 PM »

i figured out the computer was overheating when i realized the fan wasnt plugged in..... the fan is not plugged in what so ever and it doesnt look like there is a place to plug it in.i have fixed the over heating problem for now by placing a big fan beside my computer the cover is also off my computer i need to know where how to hook my fan for the computer back up .i have also downloaded the program you told me to... i would like you to tell me if there is a back door in my computer.... i ran a avg scan an it found like 3 back doors all it did was put them in the vault, can they still screw with my computer if they are in the vault
i will have the scan results for you as soon as it is finished
here is the high jack this scan results

Logfile of HijackThis v1.99.1
Scan saved at 6:54:22 PM, on 4/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\DOCUME~1\MYROOM~1\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\MYROOM~1\LOCALS~1\Temp\kavss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\My Room\My Documents\computer security\highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CheckMsgPlus] C:\WINDOWS\System32\Rundll32.exe C:\PROGRA~1\MESSEN~1\MsgPlusH.dll,VerifyInstallation
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{30F00D34-C871-4704-AC44-F9ABCBB50576}: NameServer = 216.168.96.13 216.168.96.10
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

jen3ca · « **Reply #18 on:** April 26, 2005, 07:12:33 PM »

here is the other scan results you wanted

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Lycos Sidesearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "BetterInternet Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "FunWebProducts Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "speer Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "autoloader Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "morpheus Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\axuninstall.exe infected by "not-a-virus:AdWare.BlazeFind.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\req.dll infected by "Trojan-Downloader.Win32.ConHook.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-21c6f865-3c70f1a7.class infected by "Trojan.Java.ClassLoader.Dummy.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-6d500be8-79230b96.class infected by "Trojan.Java.ClassLoader.Dummy.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-6e8dae4e-3fcb1886.class infected by "Trojan.Java.ClassLoader.Dummy.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4f82bc9c-2da55039.zip infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6880c5b9-5c84e323.zip infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-438f959a.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2dd0698-2ef9423b.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-690cced6-1495ca90.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-6bc0c227-539c30d9.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7d9192de-32fe85f5.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-5e49c651-61b566fd.zip infected by "Trojan.Java.Needy.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-e821fb5-42bbc2ed.zip infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc_.jar-742dd5c3-6cdaaf3b.zip infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\My Room\My Documents\mirc616.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.
File C:\Documents and Settings\My Room\My Documents\WarezP2P.exe infected by "Trojan-Downloader.Win32.Small.apc" Virus. Action Taken: No Action Taken.
File C:\Downloads\DH2004Setup-dm[1].exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Microsoft AntiSpyware\Quarantine\3503B002-3917-410A-91D8-E938F6\AF6DCEAA-0985-40D8-AF5D-A46A65 infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B668FCF6-8678-4D93-B5C2-0C7A63F5EC1C}\RP100\A0017433.exe infected by "not-a-virus:AdWare.Trymedia.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B668FCF6-8678-4D93-B5C2-0C7A63F5EC1C}\RP139\A0025760.dll infected by "not-a-virus:AdWare.Altnet.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B668FCF6-8678-4D93-B5C2-0C7A63F5EC1C}\RP147\A0050335.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B668FCF6-8678-4D93-B5C2-0C7A63F5EC1C}\RP147\A0050337.exe infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B668FCF6-8678-4D93-B5C2-0C7A63F5EC1C}\RP147\A0050338.vxd infected by "not-a-virus:AdWare.BargainBuddy.j" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B668FCF6-8678-4D93-B5C2-0C7A63F5EC1C}\RP80\A0013617.exe infected by "Trojan-Downloader.Win32.Swizzor.av" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\axuninstall.exe infected by "not-a-virus:AdWare.BlazeFind.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\req.dll infected by "Trojan-Downloader.Win32.ConHook.b" Virus. Action Taken: No Action Taken.

guestolo · « **Reply #19 on:** April 26, 2005, 11:21:37 PM »

Open your Control panel and open the Java Plugin
Under the Cache tab, delete cache

Reboot into safe mode

Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\system32\axuninstall.exe

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Don't restart until you have entered the next ones too

C:\WINDOWS\system32\req.dll
C:\WINDOWS\system32\req.dat
C:\Documents and Settings\My Room\My Documents\WarezP2P.exe
C:\Downloads\DH2004Setup-dm[1].exe

Let the computer restart back to Normal mode
Run a Registry cleaner through your system
But create a fresh restore point first
START>>All programs>>Accessories>>System Tools>>System Restore
Click Create a new restore point
Name it and click Create

Download this Registry Cleaner>>RegSeeker 1.35:
http://www.hoverdesk.net/freeware.htm
After you install it
Open the program and ensure Backup before deletion in bottom left corner is checked
Click Clean Registry>>OK
After it's done scanning>>Select all and right click and delete
Restart the computer

Let me know how everythings running
You MUST get your fan looked at......
Not having it running can cause serious problems to your computer

News:

Author Topic: Highjack this (Read 3514 times)

Guest