Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hot Offers and Antispy Error #317

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hot Offers and Antispy Error #317

Unread postby biggdogg2800 » April 2nd, 2005, 6:55 pm

Hey gang,
Got rid of everything except the two above mentioned.
Any help would be appreciated.
Thanks.

p.s. I used Spysweeper, TrojanHunter, Spybot SD, Microsoft Antispyware, and Adaware. they got rid of everything except the two above mentioned.


Logfile of HijackThis v1.99.1
Scan saved at 4:29:32 PM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\explorer.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Larry\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/home.bellsouth.net
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\System32\netdc.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - blank (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {6BDC9716-FB66-4065-AD68-4587469163A1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDC9716-FB66-4065-AD68-4587469163A1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A8D7EA87-B8E4-403D-809C-5319B3C46979} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A8D7EA87-B8E4-403D-809C-5319B3C46979} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DC563E94-107C-4075-AEA0-8796706C4A9E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC563E94-107C-4075-AEA0-8796706C4A9E} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://realstream1.co.palm-beach.fl.us/ ... ontrol.ocx
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
biggdogg2800
Active Member
 
Posts: 3
Joined: April 2nd, 2005, 9:42 am
Advertisement
Register to Remove

Unread postby wng_z3r0 » April 2nd, 2005, 7:38 pm

Hi,
I am wng_z3r0 and will be assisting you.
Please allow me some time to research your problem.

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby wng_z3r0 » April 3rd, 2005, 4:59 pm

Thank you for your patience,
Go here and download the EScan tool: http://www.mwti.net/antivirus/mwav.asp

Run the scan and post the results.
1. You have a trojan on your computer that steals passwords. :shock:
We need to remove it and then change your passwords
Run this scan here:
http://housecall.trendmicro.com/houseca ... t_corp.asp
and download trojanhunter here:
http://www.misec.net/trojanhunter/

2. Run HJT and place a check next to the following lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\System32\netdc.exe
O9 - Extra button: Microsoft AntiSpyware helper - {6BDC9716-FB66-4065-AD68-4587469163A1} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6BDC9716-FB66-4065-AD68-4587469163A1} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {A8D7EA87-B8E4-403D-809C-5319B3C46979} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A8D7EA87-B8E4-403D-809C-5319B3C46979} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {DC563E94-107C-4075-AEA0-8796706C4A9E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DC563E94-107C-4075-AEA0-8796706C4A9E} - (no file) (HKCU)

Then search for and delete this file:
C:\WINNT\System32\netdc.exe

Post a new HJT log when done.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby biggdogg2800 » April 3rd, 2005, 8:26 pm

Thanks!
I'm on it. I just tried to log in to the infected machine remotely to do it but for some reason PCanywhere wouldn't connect.
No firewall no nothing but still cant connect.

I'll be on it tomorrow, though
Thanks Again.
biggdogg2800
Active Member
 
Posts: 3
Joined: April 2nd, 2005, 9:42 am

Unread postby wng_z3r0 » April 5th, 2005, 11:18 pm

How are things going?
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby biggdogg2800 » April 6th, 2005, 5:29 pm

This guy lives 71 miles away. I was supposed to go there yesterday but he cancelled.

It's nice that people are trying to help me, that's for sure.

As soon as I get down to Miami, I will get that info.


Thanks for all your help and patience.

BiggDoggLarry
biggdogg2800
Active Member
 
Posts: 3
Joined: April 2nd, 2005, 9:42 am

Unread postby wng_z3r0 » April 6th, 2005, 6:03 pm

Take your time :D

You must be a real friend/relative
to drive an hour+ to fix a computer....
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby ChrisRLG » April 21st, 2005, 6:31 pm

This topic is now over 14 days since a reply.

If no reply within another 7 days I will close.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware