Quote:
|
Originally Posted by Ried
Go to c:\winnt\system32\drivers\etc and open up the hosts file (no extensions) up in Notepad. There should be a bunch of lines with a # in front of them followed by a single line like:
127.0.0.1 localhost
If you have anything after that, please post them here.
|
that's the host thing I was talking about. when i did that, notepad was blank.
here's the new findit log:
Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Wed 05/25/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first
»»»»» lagitamate file's can/will show in this section.
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.
Volume in drive C has no label.
Volume Serial Number is CCFB-26C6
Directory of C:\WINNT\SYSTEM32
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is CCFB-26C6
Directory of C:\WINNT\system32
»»»»»»»»»»»»»»»»»»»»»»»».
and here's the new hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 8:12:55 AM, on 5/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\Program Files\Browser MOUSE\mouse32a.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.cox.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.1\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O16 - DPF: 6th Street Omaha Poker by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Aces Up! by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Blackjack by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Canasta by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Keno by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Pinochle by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo -
http://game1.pogo.com/applet-6.2.2.5...-ob-assets.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) -
http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) -
http://www.amiuptodate.com/vsc/bin/1...datePortal.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
End of KRC HijackThis Analyzer Log.
====================================================================