|
hijakthis for popups that wont go away
|
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 04:03 |
Link to this message
|
ok ran this program i wonder what i should delete here is the list
Logfile of HijackThis v1.99.1
Scan saved at 9:00:30 AM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\jdibyht.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\aupdate.exe
C:\WINDOWS\jdibyhtA.exe
C:\WINDOWS\system32\1E262727232325.exe
C:\PROGRA~1\AIM\aim.exe
C:\PROGRA~1\COMMON~1\wkwu\wkwum.exe
C:\Program Files\CMMan\CMMan.exe
C:\Program Files\apsi\wtta.exe
C:\WINDOWS\system32\l?gonui.exe
C:\Program Files\Common Files\Desktop 16\TrueWeather.exe
C:\Program Files\Common Files\AOL\1129306962\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1129306962\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1129306962\ee\AOLServiceHost.exe
C:\PROGRA~1\COMMON~1\wkwu\wkwua.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MJ6RUTAJ\hijackthis_self[1].exe
C:\Documents and Settings\Owner\My Documents\my music\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {2BC2F12B-11EC-4E60-B865-1F2361CA9C9B} - C:\WINDOWS\system32\wnldx.dll
R3 - URLSearchHook: (no name) - {2BC2F15E-119F-4867-B865-6D2313CD9C9A} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2BC2F12B-11EC-4E60-B865-1F2361CA9C9B} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: (no name) - {2BC2F15E-119F-4867-B865-6D2313CD9C9A} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - C:\Program Files\Burn4Free Toolbar\v2.0.0.2\Burn4Free_Toolbar.dll (file missing)
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - C:\Program Files\Burn4Free Toolbar\v2.0.0.2\Burn4Free_Toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKLM\..\Run: [jdibyhtA] C:\WINDOWS\jdibyhtA.exe
O4 - HKLM\..\Run: [697172726E6E7073] 1E262727232325.exe
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [wkwu] C:\PROGRA~1\COMMON~1\wkwu\wkwum.exe
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [Tjpvcevl] C:\WINDOWS\system32\l?gonui.exe
O4 - Global Startup: Desktop 16.lnk = C:\Program Files\Common Files\Desktop 16\TrueWeather.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Filter: text/html - {6793D547-38DD-4325-B35A-F1817EDFA567} - C:\Program Files\CMMan\mfhlp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jdibyht.exe
|
|
Advertisement
|
|
|
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 04:26 |
Link to this message
|
Move HjT into its own folder -> C:\hjt
Fix with HjT (do a system scan only, mark these and press fix checked):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus8.hpwis.com/
R3 - URLSearchHook: (no name) - {2BC2F12B-11EC-4E60-B865-1F2361CA9C9B} - C:\WINDOWS\system32\wnldx.dll
R3 - URLSearchHook: (no name) - {2BC2F15E-119F-4867-B865-6D2313CD9C9A} - C:\WINDOWS\system32\wnldx.dll O2 - BHO: Burn4Free Toolbar Helper - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - C:\Program Files\Burn4Free Toolbar\v2.0.0.2\Burn4Free_Toolbar.dll (file missing)
O2 - BHO: BigMeanGorilla.MadAsHell - {FBD2EBD0-E6DF-456E-B300-A4D10A90C683} - C:\WINDOWS\system32\{FBD2EBD0-E6DF-456E-B300-A4D10A90C683}.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Burn4Free Toolbar - {70DE7956-479D-4eb7-8641-2B45774C350E} - C:\Program Files\Burn4Free Toolbar\v2.0.0.2\Burn4Free_Toolbar.dll (file missing)
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKLM\..\Run: [jdibyhtA] C:\WINDOWS\jdibyhtA.exe
O4 - HKLM\..\Run: [697172726E6E7073] 1E262727232325.exe
O4 - HKCU\..\Run: [wkwu] C:\PROGRA~1\COMMON~1\wkwu\wkwum.exe
O4 - HKCU\..\Run: [Notn] "C:\Program Files\apsi\wtta.exe" -vt yazr
O4 - HKCU\..\Run: [Tjpvcevl] C:\WINDOWS\system32\l?gonui.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jdibyht.exe
Then shutdown service: start -> run -> services.msc -> ok
Find this Windows Overlay Components. Doubleclick it, press stop and select startuptype "disabled"
Make you system and hidden files visible ->
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Download ewido -> http://www.ewido.net/en/download
Install and update it, don't scan yet.
Boot in safe mode (tap F8 while booting)
Delete these, if found:
C:\Program Files\==>winupdates<==
C:\WINDOWS\==>jdibyht.exe<==
C:\Program Files\==>apsi<==
C:\WINDOWS\system32\==>l?gonui.exe<==
C:\WINDOWS\system32\==>aupdate.exe<==
C:\WINDOWS\==>jdibyhtA.exe<==
C:\WINDOWS\system32\==>1E262727232325.exe<==
C:\PROGRA~1\COMMON~1\==>wkwu<==
C:\WINDOWS\system32\==>wnldx.dll<==
Scan with ewido in safe mode (complete system scan). Let it remove what it finds and save report. Reboot, send a fresh HjT-log and ewido's report.
This message has been edited since posting. Last time this message was edited on 2. January 2006 @ 04:28
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 04:42 |
Link to this message
|
ok check this see if i got it all
Logfile of HijackThis v1.99.1
Scan saved at 9:41:10 AM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Desktop 16\TrueWeather.exe
C:\Documents and Settings\Owner\My Documents\my music\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {2BC2F12B-11EC-4E60-B865-1F2361CA9C9B} - C:\WINDOWS\system32\wnldx.dll
R3 - URLSearchHook: (no name) - {2BC2F15E-119F-4867-B865-6D2313CD9C9A} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2BC2F12B-11EC-4E60-B865-1F2361CA9C9B} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: (no name) - {2BC2F15E-119F-4867-B865-6D2313CD9C9A} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - Global Startup: Desktop 16.lnk = C:\Program Files\Common Files\Desktop 16\TrueWeather.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 04:45 |
Link to this message
|
|
No, you didn't. Fix these (mark them, then close browser and press fix checked):
R3 - URLSearchHook: (no name) - {2BC2F12B-11EC-4E60-B865-1F2361CA9C9B} - C:\WINDOWS\system32\wnldx.dll
R3 - URLSearchHook: (no name) - {2BC2F15E-119F-4867-B865-6D2313CD9C9A} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: (no name) - {2BC2F12B-11EC-4E60-B865-1F2361CA9C9B} - C:\WINDOWS\system32\wnldx.dll
O2 - BHO: (no name) - {2BC2F15E-119F-4867-B865-6D2313CD9C9A} - C:\WINDOWS\system32\wnldx.dll
And after that, delete all those files I mentioned before in safe mode and also run ewido in safe mode.
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 04:51 |
Link to this message
|
does this look better
Logfile of HijackThis v1.99.1
Scan saved at 9:50:33 AM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Desktop 16\TrueWeather.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\My Documents\my music\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn\yt.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - Global Startup: Desktop 16.lnk = C:\Program Files\Common Files\Desktop 16\TrueWeather.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 04:54 |
Link to this message
|
Yes, it does. Fix this line:
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
And after that do this what I already told you to do:
Then shutdown service: start -> run -> services.msc -> ok
Find this Windows Overlay Components. Doubleclick it, press stop and select startuptype "disabled"
Make you system and hidden files visible ->
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Download ewido -> http://www.ewido.net/en/download
Install and update it, don't scan yet.
Boot in safe mode (tap F8 while booting)
Delete these, if found:
C:\Program Files\==>winupdates<==
C:\WINDOWS\==>jdibyht.exe<==
C:\Program Files\==>apsi<==
C:\WINDOWS\system32\==>l?gonui.exe<==
C:\WINDOWS\system32\==>aupdate.exe<==
C:\WINDOWS\==>jdibyhtA.exe<==
C:\WINDOWS\system32\==>1E262727232325.exe<==
C:\PROGRA~1\COMMON~1\==>wkwu<==
C:\WINDOWS\system32\==>wnldx.dll<==
Scan with ewido in safe mode (complete system scan). Let it remove what it finds and save report. Reboot, send a fresh HjT-log and ewido's report.
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 04:54 |
Link to this message
|
|
thank for all your help
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 04:56 |
Link to this message
|
|
@ozzymary: Problem isn't yet solved! Do what I asked you to do before. Delete those files in safe mode, run ewido scan, reboot,send a fresh HjT-log and ewido's report.
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 04:58 |
Link to this message
|
|
iam not to crazy about going in to safe mode
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 04:59 |
Link to this message
|
|
iam running ewido now in reg mode
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:01 |
Link to this message
|
|
infected objects so far 1,734 seems to be alot
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 05:01 |
Link to this message
|
|
What's so bad in going safe mode? Let's hope then that ewido can delete everything it finds in reg mode. Were you able to delete those files/folders I mentioned before in reg mode?
EDIT: And yes, over 1700 infected objects is much ;)
This message has been edited since posting. Last time this message was edited on 2. January 2006 @ 05:02
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:09 |
Link to this message
|
|
its up to 9000 now should i stop????
This message has been edited since posting. Last time this message was edited on 2. January 2006 @ 05:12
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 05:10 |
Link to this message
|
|
No, you shouldn't, let it finish the scan.
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:11 |
Link to this message
|
|
and still only 50% i wonder why so much
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:12 |
Link to this message
|
|
your pretty good at this huh
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 05:14 |
Link to this message
|
|
Well, I don't know. You doesn't seem to have a firewall, that might be a reason. Or are you using windows built-in firewall?
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:18 |
Link to this message
|
|
its done but its asking me to hit yes on all 9000 any idea
quote>>>>>>>>windows built-in firewall? yes this is the one i am using
This message has been edited since posting. Last time this message was edited on 2. January 2006 @ 05:19
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 05:22 |
Link to this message
|
|
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:25 |
Link to this message
|
i had to reboot because it looked like it was tring to delete some of my Nero stuff is there a way i could just do a scan and post it without removing anything????????
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:27 |
Link to this message
|
|
when i open the program back up it shows inficted objects found any way to post them
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:28 |
Link to this message
|
|
is this it
---------------------------------------------------------
ewido anti-malware - Process report
---------------------------------------------------------
+ Created on: 10:28:00 AM, 1/2/2006
+ Report-Checksum: 87D24A7F
0: System Process
4: System Process
124: C:\Program Files\Internet Explorer\iexplore.exe
488: C:\WINDOWS\Explorer.EXE
536: C:\WINDOWS\system32\wuauclt.exe
552: \SystemRoot\System32\smss.exe
572: C:\WINDOWS\System32\alg.exe
604: \??\C:\WINDOWS\system32\csrss.exe
628: \??\C:\WINDOWS\system32\winlogon.exe
672: C:\WINDOWS\system32\services.exe
684: C:\WINDOWS\system32\lsass.exe
836: C:\WINDOWS\system32\svchost.exe
932: C:\WINDOWS\system32\svchost.exe
1036: C:\WINDOWS\System32\svchost.exe
1112: C:\WINDOWS\System32\svchost.exe
1284: C:\WINDOWS\System32\svchost.exe
1408: C:\WINDOWS\system32\spoolsv.exe
1528: C:\Program Files\ewido anti-malware\ewidoctrl.exe
1544: C:\Program Files\ewido anti-malware\ewidoguard.exe
1596: c:\Program Files\Norton AntiVirus\navapsvc.exe
1648: C:\Program Files\Softex\OmniPass\Omniserv.exe
1708: C:\WINDOWS\System32\svchost.exe
1768: C:\Program Files\ewido anti-malware\SecuritySuite.exe
1792: C:\WINDOWS\system32\wdfmgr.exe
1996: C:\Program Files\Softex\OmniPass\OPXPApp.exe
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 05:29 |
Link to this message
|
|
I don't think that ewido will remove anything related to Nero. What program tells that infected objects found?
EDIT: No, it isn't. Did you click "Save report" after the scan?
This message has been edited since posting. Last time this message was edited on 2. January 2006 @ 05:30
|
|
ozzymary
Suspended permanently
|
2. January 2006 @ 05:30 |
Link to this message
|
|
anti malware ewido
|
|
Advertisement
|
|
|
|
-kemisti-
AfterDawn Addict
|
2. January 2006 @ 05:32 |
Link to this message
|
|
Ok. Do you mean that you have opened ewido's backup-folder? That's normal because ewido creates a backup of every file it deletes into that folder.
|
