Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
52 Posts
Discussion Starter #1
Hello for the 1st time about HJT. I have a problem im trying to solve regarding WinXP unable to switch users and other Windows bugs that began after i cleaned a big bad virus from my system this past spring.
A techie on another thread told me to post this here, reference thread here

My HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:45:13 AM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
C:\Program Files\BlackICE\blackd.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\Program Files\BlackICE\rapapp.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\BlackICE\blackice.exe
C:\Program Files\Konfabulator\Konfabulator.exe
C:\Documents and Settings\Karl\Start Menu\Programs\Startup\taskmgr.exe
C:\Documents and Settings\Karl\My Documents\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R3 - Default URLSearchHook is missing
O1 - Hosts: 81.211.105.5 www.0190-dialer.com
O1 - Hosts: 81.211.105.5 www.22469.com
O1 - Hosts: 81.211.105.5 www.3wisp.com
O1 - Hosts: 81.211.105.5 www.adult-cinema.org
O1 - Hosts: 81.211.105.5 www.adultfreehosting.com
O1 - Hosts: 81.211.105.5 www.adulthosting.com
O1 - Hosts: 81.211.105.5 www.adultlinks1.com
O1 - Hosts: 81.211.105.5 www.adultmegamovies.com
O1 - Hosts: 81.211.105.5 www.adultsexmovie.net
O1 - Hosts: 81.211.105.5 www.adultwall.com
O1 - Hosts: 81.211.105.5 www.afro-sex.com
O1 - Hosts: 81.211.105.5 www.agreathost.net
O1 - Hosts: 81.211.105.5 www.alehina.com
O1 - Hosts: 81.211.105.5 www.allnichestgp.com
O1 - Hosts: 81.211.105.5 www.allowednet.com
O1 - Hosts: 81.211.105.5 www.amateurlips.com
O1 - Hosts: 81.211.105.5 www.amateurnudephoto.com
O1 - Hosts: 81.211.105.5 www.amateursgonebad.com
O1 - Hosts: 81.211.105.5 www.ambersamateurhardcore.com
O1 - Hosts: 81.211.105.5 www.anyamateur.com
O1 - Hosts: 81.211.105.5 www.apornhost.com
O1 - Hosts: 81.211.105.5 www.findmodels.com
O1 - Hosts: 81.211.105.5 www.asianscum.com
O1 - Hosts: 81.211.105.5 www.awethumbs.com
O1 - Hosts: 81.211.105.5 www.badassxxx.com
O1 - Hosts: 81.211.105.5 www.badbimbo.com
O1 - Hosts: 81.211.105.5 www.beautifulbondage.com
O1 - Hosts: 81.211.105.5 www.bestpornhost.com
O1 - Hosts: 81.211.105.5 www.biggestdickinporn.net
O1 - Hosts: 81.211.105.5 www1.3wisp.com
O1 - Hosts: 81.211.105.5 www1.kinghost.com
O1 - Hosts: 81.211.105.5 www1.ndhosting.com
O1 - Hosts: 81.211.105.5 www1.sexls.com
O1 - Hosts: 81.211.105.5 www1.toptgphost.com
O1 - Hosts: 81.211.105.5 www1.xfreehosting.com
O1 - Hosts: 81.211.105.5 www10.kinghost.com
O1 - Hosts: 81.211.105.5 www11.kinghost.com
O1 - Hosts: 81.211.105.5 www12.kinghost.com
O1 - Hosts: 81.211.105.5 www2.3wisp.com
O1 - Hosts: 81.211.105.5 www2.kinghost.com
O1 - Hosts: 81.211.105.5 www2.ndhosting.com
O1 - Hosts: 81.211.105.5 www2.toptgphost.com
O1 - Hosts: 81.211.105.5 www2.xfreehosting.com
O1 - Hosts: 81.211.105.5 www2.zpornstars.com
O1 - Hosts: 81.211.105.5 www3.kinghost.com
O1 - Hosts: 81.211.105.5 www3.ndhosting.com
O1 - Hosts: 81.211.105.5 www3.xfreehosting.com
O1 - Hosts: 81.211.105.5 www3.zpornstars.com
O1 - Hosts: 81.211.105.5 www30.smutserver.com
O1 - Hosts: 81.211.105.5 www31.smutserver.com
O1 - Hosts: 81.211.105.5 www32.smutserver.com
O1 - Hosts: 81.211.105.5 www4.kinghost.com
O1 - Hosts: 81.211.105.5 www4.xfreehosting.com
O1 - Hosts: 81.211.105.5 www4.zpornstars.com
O1 - Hosts: 81.211.105.5 www5.kinghost.com
O1 - Hosts: 81.211.105.5 www6.kinghost.com
O1 - Hosts: 81.211.105.5 www7.kinghost.com
O1 - Hosts: 81.211.105.5 www8.kinghost.com
O1 - Hosts: 81.211.105.5 www9.kinghost.com
O1 - Hosts: 81.211.105.5 www.bigmovies.com
O1 - Hosts: 81.211.105.5 www.bigpornvideos.com
O1 - Hosts: 81.211.105.5 www.big-xxx-movies.com
O1 - Hosts: 81.211.105.5 www.samplehosting.com
O1 - Hosts: 81.211.105.5 www.blinghosting.com
O1 - Hosts: 81.211.105.5 www.blitz-hosting.com
O1 - Hosts: 81.211.105.5 www.boyanxxx.com
O1 - Hosts: 81.211.105.5 www.bustyx.com
O1 - Hosts: 81.211.105.5 www.cleanadulthost.com
O1 - Hosts: 81.211.105.5 www.cleanpornhost.com
O1 - Hosts: 81.211.105.5 www.cyberxxxhost.com
O1 - Hosts: 81.211.105.5 www.dialcom.com
O1 - Hosts: 81.211.105.5 www.eldererotica.tv
O1 - Hosts: 81.211.105.5 www.ethniccash.com
O1 - Hosts: 81.211.105.5 www.exploitedblackteens.net
O1 - Hosts: 81.211.105.5 www.exscapeporn.com
O1 - Hosts: 81.211.105.5 www.fantasiegirl.com
O1 - Hosts: 81.211.105.5 www.fastmailer.info
O1 - Hosts: 81.211.105.5 www.filth-hostz.com
O1 - Hosts: 81.211.105.5 www.free-freeporn.com
O1 - Hosts: 81.211.105.5 www.free-xxx-server.com
O1 - Hosts: 81.211.105.5 www.freexxxvideoclip.com
O1 - Hosts: 81.211.105.5 www.fvotd.com
O1 - Hosts: 81.211.105.5 www.galaporn.com
O1 - Hosts: 81.211.105.5 www.18blowjobs.com
O1 - Hosts: 81.211.105.5 www.bigtitsroundasses.com
O1 - Hosts: 81.211.105.5 www.bikinivoyeur.com
O1 - Hosts: 81.211.105.5 www.blacksonblondes.com
O1 - Hosts: 81.211.105.5 www.easydrunkgirls.com
O1 - Hosts: 81.211.105.5 www.markscash.com
O1 - Hosts: 81.211.105.5 www.milfwhore.com
O1 - Hosts: 81.211.105.5 www.springbreakspycam.com
O1 - Hosts: 81.211.105.5 www.sweetmoney.com
O1 - Hosts: 81.211.105.5 www.wildclubvideos.com
O1 - Hosts: 81.211.105.5 www.gallys.camcorderxxx.com
O1 - Hosts: 81.211.105.5 www.gallys.nastydollars.com
O1 - Hosts: 81.211.105.5 www.gayhost4free.com
O1 - Hosts: 81.211.105.5 www.ghostgalleries.com
O1 - Hosts: 81.211.105.5 www.girls2.twistys.net
O1 - Hosts: 81.211.105.5 www.greatfreehost.com
O1 - Hosts: 81.211.105.5 www.hanksgalleries.com
O1 - Hosts: 81.211.105.5 www.hjemmesex.dk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\System32\hsrb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tcxilch] C:\WINDOWS\tcxilch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Konfabulator.lnk = C:\Program Files\Konfabulator\Konfabulator.exe
O4 - Startup: taskmgr.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\BlackICE\blackice.exe
O4 - Global Startup: hp psc 1000 series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.amazon.ca
O15 - Trusted Zone: mycvg.convergys.com
O15 - Trusted Zone: http://www.livejournal.com
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b1c9dcc1cc260d7703/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119976703223
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D211214-CA0D-463F-8F4A-7D8D5674A4F4}: NameServer = 142.161.2.155 142.161.130.155
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\BlackICE\blackd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\BlackICE\rapapp.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello karly,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

AdAware’s Ad-Watch may interfere with these fixes, please disable until we are through here.

Disable Ad-aware's Ad-Watch
Right-click on the Ad-Watch icon in the system tray
At the bottom of the screen you will see 2 options Active and Automatic.
Deselect Active
Deselect Automatic

Go to "Tools & Preferences">Options
Deselect "Load Ad-Watch at Windows startup"

Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download CWShredder and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Download Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://bigbr.cc?u=1538 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://bigbr.cc?u=1538 (obfuscated)
R3 - Default URLSearchHook is missing
O1 - Hosts: 81.211.105.5 www.0190-dialer.com
O1 - Hosts: 81.211.105.5 www.22469.com
O1 - Hosts: 81.211.105.5 www.3wisp.com
O1 - Hosts: 81.211.105.5 www.adult-cinema.org
O1 - Hosts: 81.211.105.5 www.adultfreehosting.com
O1 - Hosts: 81.211.105.5 www.adulthosting.com
O1 - Hosts: 81.211.105.5 www.adultlinks1.com
O1 - Hosts: 81.211.105.5 www.adultmegamovies.com
O1 - Hosts: 81.211.105.5 www.adultsexmovie.net
O1 - Hosts: 81.211.105.5 www.adultwall.com
O1 - Hosts: 81.211.105.5 www.afro-sex.com
O1 - Hosts: 81.211.105.5 www.agreathost.net
O1 - Hosts: 81.211.105.5 www.alehina.com
O1 - Hosts: 81.211.105.5 www.allnichestgp.com
O1 - Hosts: 81.211.105.5 www.allowednet.com
O1 - Hosts: 81.211.105.5 www.amateurlips.com
O1 - Hosts: 81.211.105.5 www.amateurnudephoto.com
O1 - Hosts: 81.211.105.5 www.amateursgonebad.com
O1 - Hosts: 81.211.105.5 www.ambersamateurhardcore.com
O1 - Hosts: 81.211.105.5 www.anyamateur.com
O1 - Hosts: 81.211.105.5 www.apornhost.com
O1 - Hosts: 81.211.105.5 www.findmodels.com
O1 - Hosts: 81.211.105.5 www.asianscum.com
O1 - Hosts: 81.211.105.5 www.awethumbs.com
O1 - Hosts: 81.211.105.5 www.badassxxx.com
O1 - Hosts: 81.211.105.5 www.badbimbo.com
O1 - Hosts: 81.211.105.5 www.beautifulbondage.com
O1 - Hosts: 81.211.105.5 www.bestpornhost.com
O1 - Hosts: 81.211.105.5 www.biggestdickinporn.net
O1 - Hosts: 81.211.105.5 www1.3wisp.com
O1 - Hosts: 81.211.105.5 www1.kinghost.com
O1 - Hosts: 81.211.105.5 www1.ndhosting.com
O1 - Hosts: 81.211.105.5 www1.sexls.com
O1 - Hosts: 81.211.105.5 www1.toptgphost.com
O1 - Hosts: 81.211.105.5 www1.xfreehosting.com
O1 - Hosts: 81.211.105.5 www10.kinghost.com
O1 - Hosts: 81.211.105.5 www11.kinghost.com
O1 - Hosts: 81.211.105.5 www12.kinghost.com
O1 - Hosts: 81.211.105.5 www2.3wisp.com
O1 - Hosts: 81.211.105.5 www2.kinghost.com
O1 - Hosts: 81.211.105.5 www2.ndhosting.com
O1 - Hosts: 81.211.105.5 www2.toptgphost.com
O1 - Hosts: 81.211.105.5 www2.xfreehosting.com
O1 - Hosts: 81.211.105.5 www2.zpornstars.com
O1 - Hosts: 81.211.105.5 www3.kinghost.com
O1 - Hosts: 81.211.105.5 www3.ndhosting.com
O1 - Hosts: 81.211.105.5 www3.xfreehosting.com
O1 - Hosts: 81.211.105.5 www3.zpornstars.com
O1 - Hosts: 81.211.105.5 www30.smutserver.com
O1 - Hosts: 81.211.105.5 www31.smutserver.com
O1 - Hosts: 81.211.105.5 www32.smutserver.com
O1 - Hosts: 81.211.105.5 www4.kinghost.com
O1 - Hosts: 81.211.105.5 www4.xfreehosting.com
O1 - Hosts: 81.211.105.5 www4.zpornstars.com
O1 - Hosts: 81.211.105.5 www5.kinghost.com
O1 - Hosts: 81.211.105.5 www6.kinghost.com
O1 - Hosts: 81.211.105.5 www7.kinghost.com
O1 - Hosts: 81.211.105.5 www8.kinghost.com
O1 - Hosts: 81.211.105.5 www9.kinghost.com
O1 - Hosts: 81.211.105.5 www.bigmovies.com
O1 - Hosts: 81.211.105.5 www.bigpornvideos.com
O1 - Hosts: 81.211.105.5 www.big-xxx-movies.com
O1 - Hosts: 81.211.105.5 www.samplehosting.com
O1 - Hosts: 81.211.105.5 www.blinghosting.com
O1 - Hosts: 81.211.105.5 www.blitz-hosting.com
O1 - Hosts: 81.211.105.5 www.boyanxxx.com
O1 - Hosts: 81.211.105.5 www.bustyx.com
O1 - Hosts: 81.211.105.5 www.cleanadulthost.com
O1 - Hosts: 81.211.105.5 www.cleanpornhost.com
O1 - Hosts: 81.211.105.5 www.cyberxxxhost.com
O1 - Hosts: 81.211.105.5 www.dialcom.com
O1 - Hosts: 81.211.105.5 www.eldererotica.tv
O1 - Hosts: 81.211.105.5 www.ethniccash.com
O1 - Hosts: 81.211.105.5 www.exploitedblackteens.net
O1 - Hosts: 81.211.105.5 www.exscapeporn.com
O1 - Hosts: 81.211.105.5 www.fantasiegirl.com
O1 - Hosts: 81.211.105.5 www.fastmailer.info
O1 - Hosts: 81.211.105.5 www.filth-hostz.com
O1 - Hosts: 81.211.105.5 www.free-freeporn.com
O1 - Hosts: 81.211.105.5 www.free-xxx-server.com
O1 - Hosts: 81.211.105.5 www.freexxxvideoclip.com
O1 - Hosts: 81.211.105.5 www.fvotd.com
O1 - Hosts: 81.211.105.5 www.galaporn.com
O1 - Hosts: 81.211.105.5 www.18blowjobs.com
O1 - Hosts: 81.211.105.5 www.bigtitsroundasses.com
O1 - Hosts: 81.211.105.5 www.bikinivoyeur.com
O1 - Hosts: 81.211.105.5 www.blacksonblondes.com
O1 - Hosts: 81.211.105.5 www.easydrunkgirls.com
O1 - Hosts: 81.211.105.5 www.markscash.com
O1 - Hosts: 81.211.105.5 www.milfwhore.com
O1 - Hosts: 81.211.105.5 www.springbreakspycam.com
O1 - Hosts: 81.211.105.5 www.sweetmoney.com
O1 - Hosts: 81.211.105.5 www.wildclubvideos.com
O1 - Hosts: 81.211.105.5 www.gallys.camcorderxxx.com
O1 - Hosts: 81.211.105.5 www.gallys.nastydollars.com
O1 - Hosts: 81.211.105.5 www.gayhost4free.com
O1 - Hosts: 81.211.105.5 www.ghostgalleries.com
O1 - Hosts: 81.211.105.5 www.girls2.twistys.net
O1 - Hosts: 81.211.105.5 www.greatfreehost.com
O1 - Hosts: 81.211.105.5 www.hanksgalleries.com
O1 - Hosts: 81.211.105.5 www.hjemmesex.dk
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\System32\hsrb.dll
O4 - HKLM\..\Run: [tcxilch] C:\WINDOWS\tcxilch.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24b1c9dcc1cc26...ip/RdxIE601.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab


Delete the following files:

C:\WINDOWS\System32\hsrb.dll
C:\WINDOWS\tcxilch.exe
msconfg.exe -- Search for and delete..careful of the spelling! Do not delete the legit msconfig

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!.If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Standard CleanUp!"
*Uncheck the following:
-Delete Newsgroup cache
-Delete Newsgroup Subscriptions
-Scan local drives for temporary files
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Normal Mode.

Perform an online scan using Internet Explorer with Panda ActiveScan - requires Internet Explorer
  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Scan Now'
  3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
  4. Begin the scan by selecting My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  5. If it finds any malware, it will offer you a report. Click on see report
  6. Then click Save report
  7. Post the contents of the report in your next reply along with a new HijackThis log.
* Turn off the real time scanner of any existing antivirus program while performing the online scan
 

·
Registered
Joined
·
52 Posts
Discussion Starter #3
well. it went well. the HJT took care of spyware problems i didnt know where there.
the post - scan by Panda did find 10 things, but didnt auto-fix them. im not sure if they are worrisome b/c adaware, nor spybot scans found them.
The overall problem of not being able to switch users is gone, although time will tell. The secondary problem of Windows Update not working remain. I dunno if the remaining problem is something HJT can do. :4-dontkno
I am curious about what HJT does, its obviously looking at the registry; I just like to know why & what im doing other than following directions. But the directions are helpful :sayyes:

**PandaScan:
Incident Location
Adware:adware/exact.bargainbuddy C:\WINDOWS\SYSTEM32\exdl1.exe
Adware:adware/dealhelper C:\WINDOWS\SYSTEM32\HookPopup.dll
Adware:adware/savenow Windows Registry
Adware:Adware/ILookup C:\Documents and Settings\Karl\My Documents\My Downloads\hijackthis\backups\backup-20051024-143547-304.dll
Adware:Adware/ILookup C:\Documents and Settings\Karl\My Documents\My Downloads\hijackthis\backups\backup-20051024-143547-362.dll
Adware:Adware/Gator C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll
Adware:Adware/DealHelper C:\WINDOWS\system32\dun.exe
Adware:Adware/Exact.BargainBuddy C:\WINDOWS\system32\exdl1.exe
Adware:Adware/DealHelper C:\WINDOWS\system32\Fgsobv.exe
Adware:Adware/DealHelper C:\WINDOWS\system32\HookPopup.dll
Adware:Adware/DealHelper C:\WINDOWS\system32\Sxtdst.exe
Adware:Adware/XPlugin C:\WINDOWS\system32\t239478.exe

** AdAware Scan:
Ad-Aware SE Build 1.06r1
Logfile Created on:Monday, October 24, 2005 5:24:33 PM
Using definitions file:SE1R71 19.10.2005
~ nothing found

** Logfile of HijackThis v1.99.1
Scan saved at 6:31:44 PM, on 10/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\BlackICE\blackice.exe
C:\Program Files\Konfabulator\Konfabulator.exe
C:\Documents and Settings\Karl\Start Menu\Programs\Startup\taskmgr.exe
C:\Documents and Settings\Karl\My Documents\My Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Konfabulator\Konfabulator.exe
O4 - Startup: taskmgr.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\BlackICE\blackice.exe
O4 - Global Startup: hp psc 1000 series.lnk.disabled
O4 - Global Startup: hpoddt01.exe.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: www.amazon.ca
O15 - Trusted Zone: mycvg.convergys.com
O15 - Trusted Zone: http://www.livejournal.com
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119976703223
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\BlackICE\blackd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\MTS\ENTERN~1\app\pppoeservice.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\BlackICE\rapapp.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi karly,

Even though Spybot and AdAware are coming up clean, as you can see in the Panda Scan, there is still malware present. HJT is another tool used to detect and remove malware. No 'one' program or tool can detect it all so it's always a good idea to scan with different tools periodically as each has it's own way of detecting malware.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Reboot into Safe Mode.(tapping F8 or F5)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\exdl1.exe
C:\WINDOWS\SYSTEM32\HookPopup.dll
C:\WINDOWS\Downloaded Program Files\HDPlugin1101.dll
C:\WINDOWS\system32\dun.exe
C:\WINDOWS\system32\Fgsobv.exe
C:\WINDOWS\system32\Sxtdst.exe
C:\WINDOWS\system32\t239478.exe


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
**Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Run CWShredder again.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://bigbr.cc?u=1538 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lfnmcjw.biz?u=1526 (obfuscated)


Reboot into Normal Mode. Run another scan with Panda and HijackThis. Post both results here again please.
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top