Please need help to get off of: Default_Page_URL = http://195.95.218.172/index.php

[techwal]

Hello and let me first say, that so far I am new to the Techsupportforum...

but I have red >Please, Read This Before Posting A Hijackthis Log.<

And I followed the help in a closed thread, If you have some time -- please help , but could not solve my problem.

I have downloaded the necessary programs described in that thread and followed this thread help step by step, but i don't have any clue, what to do when it comes to: >Then run >HijackThis< again, close any open windows and browsers and fix these:<

The >HijackThis< list published in the thread is different from my result running >HijackThis< on my computer.

Nevertheless I fixed all entries, which obviously had to do with 195.95.218.172/index (first six lines of my logfile) and proceeded with Run CleanUp! and let it clean my computer of temp files.

After that I runned >HijackThis< again in safe mode and got Explorer\Main,Default_Page_URL = about:blank.

I was happy, because it seemed to be solved, but after restarting my computer into normal mode i had the same default page 195.95.218.172/index at my IE

So I am assuming now, that after running >HijackThis< I did not fix all what needed to be fixed.

If someone would be please so helpfull and tell me, what out of my >HijackThis< list needs to be fixed this would be great.

Saludos Walter
Please excuse my english spelling: I am German living in Costa Rica, but any helpfull answer in english would be appreciated.

And that's my Logfile after I followed the thread >showthread.php?t=65572< again until running >HijackThis< :

Logfile of HijackThis v1.99.1
Scan saved at 22:39:53, on 05.10.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [F-StopW] C:\Programme\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ThrustTSR] C:\Programme\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [KhshSrv32] C:\WINNT\khshsrv.exe
O4 - HKLM\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [Skype] "C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmesde.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DE25741-C1F6-4A63-BDEE-85BEF5ACA34A}: NameServer = 208.133.206.44,208.133.206.59
O17 - HKLM\System\CS1\Services\Tcpip\..\{6DE25741-C1F6-4A63-BDEE-85BEF5ACA34A}: NameServer = 208.133.206.44,208.133.206.59
O17 - HKLM\System\CS2\Services\Tcpip\..\{6DE25741-C1F6-4A63-BDEE-85BEF5ACA34A}: NameServer = 208.133.206.44,208.133.206.59
O20 - Winlogon Notify: style2 - C:\WINNT\q5451640.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programme\TightVNC\WinVNC.exe" -service (file missing)

[sUBs]

Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)

CWShredder.exe

1. Open CWShredder and click - I AGREE
2. Click - Check For Update
3. Close CWShredder after updating

hjtrun.zip
From within hjtrun.zip, double-click on hjtrun.bat


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Restart your computer.
Hijackthis will open before the desktop loads, scan and fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O4 - HKLM\..\Run: [KhshSrv32] C:\WINNT\khshsrv.exe
O4 - HKLM\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O4 - HKCU\..\Run: [PayTime] C:\WINNT\system32\paytime.exe
O20 - Winlogon Notify: style2 - C:\WINNT\q5451640.dll

Then close HJT & windows will continue to load your Desktop.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

• Tick - Show hidden files and folder
• Untick - Hide file extensions for known types
• Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following files:

• C:\WINNT\khshsrv.exe
  C:\WINNT\system32\paytime.exe
  C:\WINNT\q5451640.dll

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions

4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer at one of the following sites:

• Panda ActiveScan
  
  
• Kaspersky Web Scanner

Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


In your next post, please include fresh logs from:

1. HiJackThis
2. Online scan
3. Antispyware.log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[techwal]

Hi and Thank You so much for the fast response:

You wrote: >Please download these additional files/programs. Do not run them until instructed to do so. <

I downloaded the recommended files, but working step by step trough the list I found no advise when to run >KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)<

So I proceeded in safe mode with >From within hjtrun.zip, double-click on hjtrun.bat< and after that I ran >Hijackthis< and it opened before the desktop loaded. I scaned and fixed the entries mentinoned in Your answer.

When it came to delete the three files I could only delete two of them. I could not delete >C:\WINNT\q5451640.dll< because Windows said "Unable to delet this file because it is in use" I also could not rename and then delete it.

So i proceeded with Run Cleanup!

I REBOOTED TO NORMAL MODE and started my IE to proceed with the Panda ActiveScan, which is still running while I write this.

Starting IE showed a blanc site...which is good so far.

I only have a Dial In here in Costa Rica to my ISP, so it will for shure take a long time until Panda ActiveScan is ready.

Please advise me wheter I should procced with the rest of Your helpfile or do I have to take care first of the not deletable >C:\WINNT\q5451640.dll< ??

Saludos Walter

[sUBs]

I have to apologise. I just realised my mistake. Killbox isn't needed at the moment.

I also noticed that I had you download CWShredder without running it. Please run CWShredder now.

With regards to the Panda scan, you neednt remain onlline after you clicked 'My Computer' & the scan starts running. However you will need to reconnect to panda after finishing to have the results analysed.

[techwal]

OK, looks like that with Your help we are almost done. I appreciate it. Thanks.

I runned CWShredder, but did not find anything.

And as follows the logs You requested:

1. HiJackTHis
2. OnlineScan with ActiveScan
3. Antispyware.log from the second run

1.
Logfile of HijackThis v1.99.1
Scan saved at 18:22:19, on 06.10.2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Programme\D-Tools\daemon.exe
C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Programme\FSI\F-Prot\F-StopW.EXE
C:\Programme\QuickTime\qttask.exe
C:\Programme\Thrustmaster\Thrustmapper\TMTMTSR.exe
C:\WINNT\system32\internat.exe
C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\DATENEINGANG\UO\perfping\perfping.exe
C:\Programme\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Programme\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NVMixerTray] "C:\Programme\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Programme\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [F-StopW] C:\Programme\FSI\F-Prot\F-StopW.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ThrustTSR] C:\Programme\Thrustmaster\Thrustmapper\TMTMTSR.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Programme\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google-Suche - res://c:\programme\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Ins Deutsche übersetzen - res://c:\programme\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmesde.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmesde.dll
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15012/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programme\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15012/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DE25741-C1F6-4A63-BDEE-85BEF5ACA34A}: NameServer = 208.133.206.44,208.133.206.59
O17 - HKLM\System\CS1\Services\Tcpip\..\{6DE25741-C1F6-4A63-BDEE-85BEF5ACA34A}: NameServer = 208.133.206.44,208.133.206.59
O17 - HKLM\System\CS2\Services\Tcpip\..\{6DE25741-C1F6-4A63-BDEE-85BEF5ACA34A}: NameServer = 208.133.206.44,208.133.206.59
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Verwaltungsdienst für die Verwaltung logischer Datenträger (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Programme\TightVNC\WinVNC.exe" -service (file missing)

2.

Incident Status Location

Virus:Eicar.Mod No disinfected C:\Programme\FSI\F-Prot\fpav-help.chm[prob-scan-ok.html]
Virus:Eicar.Mod No disinfected C:\Programme\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[fpav-help.chm][prob-scan-ok.html]
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\bad_q5451640.zip[q5451640.dll]
Virus:Trj/Banker.AWX Disinfected C:\WINNT\de.exe
Virus:Trj/Qhost.CG Disinfected C:\WINNT\hosts
Virus:Trj/Banker.AWB Disinfected C:\WINNT\kl.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINNT\loadnew.exe
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q10282781.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q10448359.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q11482812.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q12682843.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q13882875.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q1432125.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q15082937.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q16282953.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q17482984.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q1851312.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q18683015.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q1882500.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q19883046.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q2035921.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q21083078.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q22283093.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q23483125.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q24683156.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q25883187.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q27083203.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q28283234.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q29483250.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q30683343.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q3082531.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q31883359.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q33083390.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q34283406.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q35483437.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q36683484.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q37883531.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q39083515.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q41483546.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q4251578.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q42686921.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q4282562.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q43889531.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q4436015.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q45092375.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q46295078.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q47497875.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q48701250.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q49904359.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q51106437.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q52309000.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q5451640.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q5482593.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q5638000.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q651187.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q6682718.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q682406.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q6840421.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q7882765.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q8042765.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q9082765.dll
Virus:Trj/Downloader.FFD Disinfected C:\WINNT\q9245593.dll
Virus:Trj/Qhost.CG Disinfected C:\WINNT\system32\drivers\etc\hosts.bak
Possible Virus. No disinfected F:\DATENEINGANG\INTRACOM\nmsetup2_19_5\Win2k\nMconfig.exe
Possible Virus. No disinfected F:\DATENEINGANG\INTRACOM\nmsetup2_19_5\Win98\nMconfig.exe
Possible Virus. No disinfected F:\DATENEINGANG\INTRACOM\nmsetup2_19_5\Win98SE\nMconfig.exe
Possible Virus. No disinfected F:\DATENEINGANG\INTRACOM\nmsetup2_19_5.zip[nMconfig.exe]
Possible Virus. No disinfected F:\DATENEINGANG\INTRACOM\nm_win2k_xp.zip[nMconfig.exe]
Virus:W32/Mytob.JE.worm Disinfected Walter\Posteingang\Internet und Programme\Luxline\Your new account password is approved\accepted-password.zip[accepted-password.doc .exe]
Virus:W32/Mytob.JE.worm Disinfected Walter\Posteingang\Internet und Programme\Luxline\Your password has been successfully updated\accepted-password.zip[accepted-password.doc .exe]
Virus:W32/Mytob.JE.worm Disinfected Walter\Posteingang\Internet und Programme\Luxline\Important Notification\account-report.zip[account-report.doc .pif]
Virus:W32/Mytob.JE.worm Disinfected Walter\Posteingang\Internet und Programme\Luxline\You have successfully updated your password\accepted-password.zip[accepted-password.htm .scr]
Virus:W97M/Marker.AO Disinfected Walter\Gesendete Objekte\Internic und Domaenen\Fw: Benachrichtigung: Fehler bei eingehenden Nachrichten \Dorint Budget Hotel Wien\Renovierungsarbeiten.doc

3.
Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Found 'winmx331.exe' in 'I:\Install\UNSORT'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'I:\Install\UNSORT\winmx331.exe' in shortcut areas.
Checking for 'I:\Install\UNSORT\winmx331.exe' in startup areas.
Cleaning 'I:\Install\UNSORT\winmx331.exe'
Finished Cleaning
Started Scanning
Internet Cookies
Found 'tribalfusion.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning

OK and some last questions to avoid future threads....

4. I have another System running which - from what I know by now - seems not to be infected...., but who knows.

What Programms would You recommend to run to find out and clean it in case it needs to be cleaned?

I have Norton Firewall and Antivirus running and frequently run Ad-Aware SE Personal and Spybot - Search & Destroy too.

5. After such clean is done and both systems are fine and clean again, waht programms would You recommend to prevent......?

Saludos Walter

[sUBs]

It appears that Panda took care of all but one of your infections.
Please delete this file - C:\WINNT\loadnew.exe


Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

1. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
2. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
3. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
4. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
5. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
6. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
7. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
8. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
9. IE-SPYAD
   IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
   
   
   
10. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[techwal]

Thank You very much for the help I appreciated the smoth and fast respond.

If you appreciate the help we gave & would like to reciprocate,
kindly consider making a small contribution to Tech Support Forum: Yes I would like to, but sending such contribution by snail mail from Costa Rica to the US and withdrawing such foreign check in the states..... such a contribution would be devoured by the bancs.

Please let me know about PayPal account. If You don't have, again Thank You very much.

Saludos Walter

[sUBs]

Please click here to go to the TSF donations page.
Then click on the "Make a donation" for paypal details.

On behalf of TSF, I thank you for your kind support.

[techwal]

Thanks for sending me the PayPal account. I appreciate it. Again Thanks for Your Help y
Saludos Walter