Tech Support banner

Status
Not open for further replies.
1 - 10 of 10 Posts

·
Registered
Joined
·
174 Posts
Discussion Starter · #1 ·
I posted in the Windows XP thread about my Windows update not working. I tried going right to microsoft.com and as soon as I click a link for update, it says "page cannot be displayed".
I have ran Adaware, Spybot, and AVG anti-virus, but still no go. I got hijackthis and here is my log if you can help..................



Logfile of HijackThis v1.99.1
Scan saved at 6:39:48 PM, on 10/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Stine Family\My Documents\Unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assis...urce=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assis...urce=wdz&utm_medium=bund&utm_campaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [Windows Compliant] dbntlb.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102672471765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129660384531
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E684A97-1E5D-4DAC-BDAD-453637B0E441}: NameServer = 68.168.224.162,68.168.224.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB28D223-4509-4A4B-8770-C6F951A744B1}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible.
Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove Accoona Search Assistant IF listed.

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.accoona.com/search_assis...ampaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.accoona.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.accoona.com/search_assis...ampaign=wdz0605
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.accoona.com/search?q=%s
R3 - Default URLSearchHook is missing
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O4 - HKLM\..\RunServices: [Windows Compliant] dbntlb.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/...IL/PhPSetup.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/insta.../sinstaller.cab


C:\Program Files\Accoona<--delete that folder

dbntlb.exe <--locate and delete that file

Reboot back to normal mode....

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log....and the log from the tool below..

Download: StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'Mark All'

UN-Check the 'NT-Services & NT-Kernel...' boxes only:
Press 'Ok'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread..
 

·
Registered
Joined
·
174 Posts
Discussion Starter · #3 ·
Thank you for the response! I did everything you asked except StartDreck since the link was bad or page not found.
Here is the log for SpyXposer......................
Incident Status Location

Adware:adware/wupd Reported C:\WINDOWS\DOWNLOADED PROGRAM FILES\PrevAdX.dll
Spyware:spyware/new.net Reported C:\WINDOWS\NDNuninstall6_38.exe
Adware:adware/quickbar Reported Windows Registry
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Ask Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.ask.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Traffic MarketplaceReported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.com.com/]
Spyware:Cookie/Bluestreak Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.zedo.com/]
Spyware:Cookie/DomainSponsor Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/WUpd Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.revenue.net/]
Spyware:Cookie/onestat.com Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Tribalfusion Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Doubleclick Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Falkag Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Mediaplex Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Adrevolver Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Statcounter Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7.net Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Ask Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.ask.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Advertising Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/QuestionMarket Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Traffic MarketplaceReported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Adserver Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Com.com Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.com.com/]
Spyware:Cookie/Bluestreak Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/YieldManager Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Hitbox Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Zedo Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.zedo.com/]
Spyware:Cookie/DomainSponsor Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/WUpd Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[.revenue.net/]
Spyware:Cookie/onestat.com Reported C:\Documents and Settings\Stine Family\Application Data\Mozilla\Firefox\Profiles\4vou6cas.default\cookies.txt[stat.onestat.com/]
Adware:Adware/WinAD Reported C:\WINDOWS\Downloaded Program Files\PrevAdX.dll
Virus:Trj/Zapchast.AA Reported C:\WINDOWS\intelii32.exe
Spyware:Spyware/New.net Reported C:\WINDOWS\NDNuninstall6_38.exe
Virus:Trj/Qhost.gen Reported C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Reported C:\WINDOWS\system32\drivers\etc\hosts.20050417-114529.backup
Virus:Trj/Qhost.gen Reported C:\WINDOWS\system32\drivers\etc\hosts.20050511-235642.backup
Virus:Trj/Qhost.gen Reported C:\WINDOWS\system32\drivers\etc\hosts.20050514-000601.backup
Adware:Adware/InstaFinder Reported C:\WINDOWS\system32\InstaFinder_inst245.exe
Virus:W32/Gaobot.ALK.worm Reported C:\WINDOWS\system32\TFTP2004
Adware:Adware/WUpd Reported C:\WINDOWS\tqp.exe

And the new log for hijackthis..............

Logfile of HijackThis v1.99.1
Scan saved at 12:23:55 AM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102672471765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129660384531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E684A97-1E5D-4DAC-BDAD-453637B0E441}: NameServer = 68.168.224.162,68.168.224.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB28D223-4509-4A4B-8770-C6F951A744B1}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


Thank you! :wink:
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you failt to find/delete any)
  • C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\intelii32.exe
    C:\WINDOWS\system32\drivers\etc\hosts.20050417-114529.backup
    C:\WINDOWS\system32\drivers\etc\hosts.20050511-235642.backup
    C:\WINDOWS\system32\drivers\etc\hosts.20050514-000601.backup
    C:\WINDOWS\system32\InstaFinder_inst245.exe
    C:\WINDOWS\system32\TFTP2004
    C:\WINDOWS\tqp.exe



Download Host.zip
Extract the file & overwrite the existing copy located at C:\WINDOWS\SYSTEM32\DRIVERS\ETC\host

Also downlaod & install - CleanUp.exe

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  1. In the popup box that appears, paste in C:\WINDOWS\DOWNLOADED PROGRAM FILES\PrevAdX.dll
  2. Click the Open button.
  3. Click YES when prompted to restart your computer.


After you have rebooted try accessing Windows Update & let us know how it is.
Also post a new HJT log
 

·
Registered
Joined
·
174 Posts
Discussion Starter · #5 ·
Thank you guys ever so much! I can now update Windows with no problems!

I never thought that there would be so many problems when I have been religiously running Adaware, Spybot, AVG, CCleaner, etc and this much can still go wrong!

Thank you again! :wink:
 

·
TSF Security Manager, Emeritus
Joined
·
52,197 Posts
Hi Mullet Man -

While I share your happiness, you should still post a HJT log for us to review. Once we're sure you are clean, we'll give you more important information on how to better protect yourself, and prevent further infections.
 

·
Registered
Joined
·
174 Posts
Discussion Starter · #7 ·
OK! I will do that for you. I do want to make sure I am clean


Here is my new hijackthis log.....................

Logfile of HijackThis v1.99.1
Scan saved at 5:32:29 PM, on 10/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fmcdealer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102672471765
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129660384531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E684A97-1E5D-4DAC-BDAD-453637B0E441}: NameServer = 68.168.224.162,68.168.224.165
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB28D223-4509-4A4B-8770-C6F951A744B1}: NameServer = 166.102.165.11 166.102.165.13
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello Mullet Man,

Your log is clean. If there aren't any more problems, you should be good to go after carrying out these final instructions:

Reset hidden/system files and folders

Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Create a new System Restore point

Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from any previous restore points.

**Note**
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. I notice your browser and XP are not up to date and this makes you susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection. Please update to XP SP2 and I.E. SP2

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? http://forums.net-integration.net/index.php?showtopic=3051

THE ANTI-SPYWARE TUTORIAL http://www.greyknight17.com/spyware.htm#prevent

MAKING INTERNET EXPLORER SAFER http://www.bleepingcomputer.com/forums/Making_Internet_Explorer_Safer-tut102.html

Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Microsoft Windows Update
Visit windowsupdate.com http://www.windowsupdate.com/ regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

More information and downloads are available at the following links:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

Firefox www.mozilla.org/products/firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Update all these programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.
 

·
Registered
Joined
·
174 Posts
Discussion Starter · #9 ·
As soon as it was fixed, I upgraded to SP2 :sayyes:
I also do use FireFox as my primary browser and have for a year now :smooch:
I have never used a firewall since being on 56K, I never would think someone would try to hack a dial-up user. Is the SP2 firewall any good, or should I get Zone Alarm?
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
You'll hear good and bad about SP2 Firewall. I'd say it's a personal choice, but will add that I also have SP2, on dial up, and I use ZoneAlarm as my firewall. :wink:
 
1 - 10 of 10 Posts
Status
Not open for further replies.
Top