1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

heretofind

Discussion in 'Malware and Virus Removal Archive' started by dude1234, 2004/09/18.

Thread Status:
Not open for further replies.
  1. 2004/09/18
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    hi im new to this site and ive been hijaked by that heretofind virus. i dont know how to remove it so if someone could tell me how to do it then i will be very grateful. i have hijak this if that helps
     
    dude1234,
    #1
  2. 2004/09/18
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    dude1234 - Welcome to the Board:)

    Download the latest version of HijackThis through Quicklinks in my signature, save to a folder on your hard drive (NOT the desktop) - run it and post the log here. Do not fix anything until one of our experts advises.

    Moving this thread to Secutity/Virus/Spyware
     
    PeteC,
    #2


  3. to hide this advert.

  4. 2004/09/18
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    Logfile of HijackThis v1.98.2
    Scan saved at 17:15:57, on 18/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\PROGRA~1\INTERN~2\inetmgr.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\PROGRA~1\INTERN~2\inetsvc.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Shareaza\Shareaza.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Domenico\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O2 - BHO: Browser - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\znhsrfmh.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
    O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\Run: [Windows Service Pack2] win43.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KQ] C:\documents and settings\carly\local settings\temp\KQ.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [msbb] c:\docume~1\domenico\locals~1\temp\msbb.exe
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\RunServices: [Windows Service Pack2] win43.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
    O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: Corel Network monitor worker - {C4AB3254-ADA0-4330-BD44-537C37F3580D} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {C4AB3254-ADA0-4330-BD44-537C37F3580D} - (no file)
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092946024916
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07487384-FBC2-4177-A698-F68563541A7A}: NameServer = 194.72.9.55 194.74.65.86
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07487384-FBC2-4177-A698-F68563541A7A}: NameServer = 194.72.9.55 194.74.65.86
     
    dude1234,
    #3
  5. 2004/09/18
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    Excellent - now please wait for a response from one of our experts on HJT logs even though it is fairly clear what needs to be fixed.
     
    PeteC,
    #4
  6. 2004/09/18
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    ok,how long do i have to wait? im not being rude i just want my comp back to normal. :)
     
    dude1234,
    #5
  7. 2004/09/18
    PeteC

    PeteC SuperGeek Staff

    Joined:
    2002/05/10
    Messages:
    28,896
    Likes Received:
    389
    We are all volunteers on this Board - and that includes the staff members/moderators and all the BBS Team Members, most of whom are based in the States. Many of us log in several times a day, others just once. Where you are in the world will affect the speed of response. It is just 6 pm here in the UK which makes it 1 pm on the East coast of America and 10 am on the West coast. I would guess that most folk will tend to log on in the evening, unless, like myself, they are retired. I leave it to you to work out when you might reasonably expect a response, but I would expect it to be within the next 24 hours.
     
    PeteC,
    #6
  8. 2004/09/18
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    You have quite a variety of nasties so the cleaning process will take several steps.

    First off, you have at least 2 virus/trojan infections that Norton seems to have missed. It may have been disabled by one of them. So you need to get rid of those before doing anything else. Use an online AV site (several listed in quicklinks) in my signature and let them clean what they find. If any are found but cannot be removed/cleaned, please write down specifics and post them.

    Next, there are at least a few of the spyware/malware baddies that would be removed by running Ad-aware and Spybot. Links to both in quicklinks so download, install, update, and run first Ad-aware SE and then Spybot v1.3.

    With Ad-aware, let it remove all items it finds. With Spybot, let it remove all items it pre-checks/flags as baddies. Then with Spybot, click on the Immunize icon on the left side then on the Green immunize cross to give yourself some added protection.

    After that, with all other windows/programs closed, run HJT again and post a new log. Some trash should be gone but there will be quite a bit left that needs to go.
     
    Newt,
    #7
  9. 2004/09/18
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    Logfile of HijackThis v1.98.2
    Scan saved at 23:47:26, on 18/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
    C:\WINDOWS\System32\IEHost.exe
    C:\PROGRA~1\INTERN~2\inetmgr.exe
    C:\PROGRA~1\INTERN~2\inetsvc.exe
    C:\Program Files\Shareaza\Shareaza.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\New Folder\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O2 - BHO: Browser - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
    O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\Run: [Windows Service Pack2] win43.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KQ] C:\documents and settings\carly\local settings\temp\KQ.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\znhsrfmh.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [msbb] c:\docume~1\domenico\locals~1\temp\msbb.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\RunServices: [Windows Service Pack2] win43.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra button: Corel Network monitor worker - {C4AB3254-ADA0-4330-BD44-537C37F3580D} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {C4AB3254-ADA0-4330-BD44-537C37F3580D} - (no file)
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092946024916
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{07487384-FBC2-4177-A698-F68563541A7A}: NameServer = 194.72.9.55 194.74.65.86
    O17 - HKLM\System\CS1\Services\Tcpip\..\{07487384-FBC2-4177-A698-F68563541A7A}: NameServer = 194.72.9.55 194.74.65.86
     
    dude1234,
    #8
  10. 2004/09/18
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Uninstall P2P Networking through Add/Remove Programs.While off line. If/when asked whether you also want to remove Altnet components, say 'Yes'. P2P Networking is a totally useless Kazaa add-on, and it's been reported to be responsible for serious system slowdowns.
    Then delete the P2P Networking folder in C:\Windows\System, if still there.
    and the allthenet folder to,C:\Program Files\Altnet

    I suggest you also uninstall Kazaa, and any others that are not noted as
    being spyware free in this acticle
    http://www.spywareinfo.com/articles/p2p/ <Link is temporaraly down.
    there are better free programs out there.

    Set windows to show hidden file's, folder and extensions
    >click here for instructions<.

    Fist Download, CWShredder 1.59.1
    http://www.net-integration.net/tools/hijackthis.html#cwshredder <<from there If you already have it, just download another copy and overwrite the old one..To ensure its the latest version.
    Dont use it just yet

    Start Hijackthis and place a check next to these items,
    Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) Then Hit fix checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/...arch.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...fo/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=15&q=%s
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:mad:MSITStore:C:\spe\start.chm::/start.html#
    O2 - BHO: Browser - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
    O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
    O4 - HKLM\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\Run: [Windows Service Pack2] win43.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KQ] C:\documents and settings\carly\local settings\temp\KQ.exe
    O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\znhsrfmh.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
    O4 - HKLM\..\Run: [msbb] c:\docume~1\domenico\locals~1\temp\msbb.exe
    O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe
    O4 - HKLM\..\RunServices: [Windows Service Pack2] win43.exe
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: Corel Network monitor worker - {C4AB3254-ADA0-4330-BD44-537C37F3580D} - (no file)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {C4AB3254-ADA0-4330-BD44-537C37F3580D} - (no file)
    O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - WWW Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Home Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=15&q=
    O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=15&q=
    ====================
    Reboot preferable into safe mode
    Start into safe mode


    Run Cwsredder click fix .


    Find and delete only these exact files and folders, spelling counts !!
    C:\PROGRAM FILES\INTERNET KEYWORD
    C:\WINDOWS\System32\znhsrfmh.exe
    C:\WINDOWS\System32\dp-him.exe
    C:\WINDOWS\System32\SearchBar.htm
    C:\WINDOWS\System32\IEHost.exe
    C:\spe
    do a file search for > wuam.exe win43.exe and delete them.
    Important Clear IE's cache via control panel internet options [delete files] button and mark the popup to also delete offline content
    Provided you have just restarted, delete the contents of all your
    temp folders, as in. Open C:\ then >
    C:\documents and settings\(all your pc users)\local settings\temp
    Note: Some systems have temporary internet files, Application Data and History in that temp, if so leave them and delete all other folders and files inside that temp..and the contents of the C:\windows\temp folder

    Now while still in safe mode run you ativirus program again

    Restart back to normal and when back post a new hijackthis log
     
    Lonny Jones,
    #9
  11. 2004/09/19
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    i cant download cw shredder. i click on the link and it says the page is under construction then it says go to our mirror site. i do that and then when i click on cw shredder it goes to the download page. i click download then it goes back to the homepage.
     
    dude1234,
    #10
  12. 2004/09/19
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    ok ive got cw shredder now
     
    dude1234,
    #11
  13. 2004/09/19
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    Logfile of HijackThis v1.98.2
    Scan saved at 14:10:29, on 19/09/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Norton Internet Security\ccPxySvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
    C:\Documents and Settings\Domenico\My Documents\hijackthis\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0.dll
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
    O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1092946024916
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
     
    dude1234,
    #12
  14. 2004/09/19
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    yay my net is back to normal thanks alot!!!!!! :D is there anything else i have to delete or is there anything else you would recomend that i do so i dont get any infections like this again?
     
    dude1234,
    #13
  15. 2004/09/19
    dobhar Lifetime Subscription

    dobhar Inactive

    Joined:
    2002/05/24
    Messages:
    924
    Likes Received:
    3
    dude1234...

    Glad the guys got you clean....they do a great job here... :D

    I would recommend that you run a couple extra pieces of software...

    - SpywareBlaster => A free tool that helps prevents spyware from installing. Make sure you check for updates every few weeks.
    - IE-SPYAD => adds a long list of sites and domains associated with known advertisers, marketers, and crapware pushers to the Restricted sites zone of Internet Explorer. Check page for updates every few weeks.

    I would recommend running online Virus and Trojan scans every few weeks also.

    Some links for Online scanners...
    - RAV
    - Housecall
    - Trojan Scan
    - X-Cleaner => Unfortunately SpywareInfo page is under contruction
     
    dobhar,
    #14
  16. 2004/09/19
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Lonny Jones,
    #15
  17. 2004/09/19
    dude1234

    dude1234 Inactive Thread Starter

    Joined:
    2004/09/17
    Messages:
    9
    Likes Received:
    0
    thanks guys i have downloaded them 2 programs and the host files.my comp is working fine.how did my browser get hijacked anyway?its only just come back from repair for having too many viruses.thanks once again!!!!! :D
     
    dude1234,
    #16
  18. 2004/09/19
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Who knows, usualy its from either not having all updates, visiting unfavorable websits or installing a programs with extra packages., i must not forget opening attachments in emails and even just viewing those that you dont know who sent them.


    Now that things are cleaned up flush system restore
    Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

    Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    Then Reboot.
    Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check Turn off System Restore.
    Click Apply, and then click OK.
     
    Lonny Jones,
    #17
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...