Tech Support banner

Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
52 Posts
Discussion Starter · #1 ·
ive been having a lot of problems with my computer i get way more pop ups than i usually should and things just move so much slower, i cant stand it anymore i did what u guys told me to so im posting my result.txt here it is please help as soon as possible

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:53:17 AM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\System32\lockx.exe
C:\Program Files\Common Files\AOL\1124315544\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1124315544\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Common Files\AOL\1124315544\ee\AOLServiceHost.exe
C:\Documents and Settings\David Sifuentes\Desktop\Danny's Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\tbu00193\freeprod.dll
O2 - BHO: C:\WINDOWS\lbbho.dll - {4231A47C-DEEC-4A0F-B642-0FF661724380} - C:\WINDOWS\lbbho.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - (no file)
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\sstts.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,[email protected]
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124315544\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [freestyle] lockx.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,ClientStartup -s
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\RunServices: [freestyle] lockx.exe
O4 - HKCU\..\Run: [sdpblb] C:\WINDOWS\System32\sdpblb.exe
O4 - HKCU\..\Run: [freestyle] lockx.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [qwmi] C:\PROGRA~1\COMMON~1\qwmi\qwmim.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O20 - AppInit_DLLs: repairs302972961.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\SYSTEM32\jkhfc.dll
O20 - Winlogon Notify: sstts - C:\WINDOWS\System32\sstts.dll
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbtcoms.exe


End of KRC HijackThis Analyzer Log.
====================================================================
 

·
Registered
Joined
·
3,100 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.
 

·
Registered
Joined
·
3,100 Posts
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Viewing Hidden Files
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
VundoFix.exeDouble-click VundoFix.exe to extract the files
LSPFix- Save it to a permanent folder. It is highly unlikely that you will need this program, but it is important to have it on hand in case you do. There is a very small chance that after removing New.Net, you may lose your internet connection. If this occurs, close all windows and run the LSPfix tool that you downloaded. Check "I know what I'm doing" and select all entries related to New.Net. Then click >> and remove all entries related to New.Net. Click "Finished".

BFU-Download and unzip to it’s own folder. Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:
http://downloads.subratam.org/BFUscripts/igetnetfreepod.BFU <<< To get the full address, click the link and copy the address from the address bar of your browser.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html


Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Running Processes and Add/Remove
Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)(You must kill them one at a time).
C:\WINDOWS\System32\lockx.exe

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Surf Sidekick
New.Net or NewDotNet
Freeprod Toolbar


Tools
Open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this
    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....
  • At this point press enter one time.
  • Next you will see:
    Please Type in the filepath as instructed by the forum staff
    and then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\sstts.dll
  • Press Enter to continue with the fix.
  • Next you will see:
    Please type in the second filepath as instructed by the forum
    staff then press enter:
  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\sttss.*
  • PressEnter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
      R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
      R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
      R3 - URLSearchHook: (no name) - _{EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
      R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
      O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkhfc.dll
      O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\tbu00193\freeprod.dll
      O2 - BHO: C:\WINDOWS\lbbho.dll - {4231A47C-DEEC-4A0F-B642-0FF661724380} - C:\WINDOWS\lbbho.dll
      O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_98.dll
      O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
      O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - (no file)
      O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\sstts.dll
      O4 - HKLM\..\Run: [freestyle] lockx.exe
      O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,ClientStartup -s
      O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
      O4 - HKLM\..\RunServices: [freestyle] lockx.exe
      O4 - HKCU\..\Run: [sdpblb] C:\WINDOWS\System32\sdpblb.exe
      O4 - HKCU\..\Run: [freestyle] lockx.exe
      O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
      O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
      O4 - HKCU\..\Run: [qwmi] C:\PROGRA~1\COMMON~1\qwmi\qwmim.exe
      O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...tup1.0.0.15.cab
      O20 - AppInit_DLLs: repairs302972961.dll
      O20 - Winlogon Notify: jkhfc - C:\WINDOWS\SYSTEM32\jkhfc.dll
      O20 - Winlogon Notify: sstts - C:\WINDOWS\System32\sstts.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
C:\WINDOWS\System32\lockx.exe
C:\Program Files\SurfSideKick 3
C:\Program Files\NewDotNet
C:\WINDOWS\System32\sdpblb.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000166.exe
C:\Program Files\Common Files\qwmi
C:\WINDOWS\system32\jkhfc.dll
repairs302972961.dll <<<Do a search and delete this file

Reboot your system in Normal Mode

Vundofix will create a log called Vundofiles.txt in the Vundofix folder. Please post the contents of that file in your next reply.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


In your next post please include:
  • Vundofiles.txt
  • Panda Activescan Log
  • A new Hijackthis! Log
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top