Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help

Unread postby Mobey » March 9th, 2005, 8:07 pm

Logfile of HijackThis v1.99.1
Scan saved at 00:10:29, on 10/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\BENMAW~1\LOCALS~1\Temp\Temporary Directory 1 for KillBox.zip\KillBox.exe
C:\DOCUME~1\BENMAW~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://www.euro.dell.com/countries/ie/e ... efault.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar
= http://www.jxunfqljlcadckk.biz/4QfNW8KaHX8j9TkvCGpA/
UliBjhCMa6MD/ZxdSX7VoCHAxWE96k81jaWeGEb4ogL.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fxawlrwetoz.com/
4QfNW8KaHX951YcsqDBTxYukeMtljb6pF4bCogTKwas.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
= http://www.euro.dell.com/countries/ie/e ... efault.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4d\NHelper.dll
O2 - BHO: (no name) - {C8BCCDC2-E909-631D-C6E8-C194C0A12EAD} - C:\DOCUME~1\BENMAW~1\APPLIC~1\slowbags\list mail.exe
O2 - BHO: (no name) - {C97F008A-B420-42EC-A3E0-9592E3ECEE19} - (no file)
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} -
C:\RECYCLER\S-1-5-21-3864690065-1469118265-1252323205-1009\Dc39\NavExcelBar.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} -
C:\RECYCLER\S-1-5-21-3864690065-1469118265-1252323205-1009\Dc39\NavExcelBar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [AntiVirus] C:\WINDOWS\Norton.exe
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\.exe
O4 - HKLM\..\Run: [explorer] C:\WINDOWS\FONTS\Norton.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [does meal grid poll] C:\Documents and Settings\All Users\Application Data\bendseconddoesmeal\bind lies.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [drive shim] C:\DOCUME~1\BENMAW~1\APPLIC~1\FLAWBI~1\Atom Show.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O16 - DPF: IEEnhancer - http://64.69.90.233/adlapp/IEPackage.cab
O16 - DPF: morfit3dWorld - http://www.3dstate.com/download/plugin3 ... dWorld.CAB
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.imbum.com/Imbum.cab
O16 - DPF: {034CC2DC-3245-4B26-B5C7-7B8777739CB7} -
http://access.gamezdump.com/output/0605 ... lgames.exe
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
http://public.windupdates.com/get_file.php?
bt=ie&p=f32ea71f93289f61b4dbf30a04a6a1144dbe14cda02fcaaa9fafbced2952791a768a1a41688817425fa5c
9751a6be7b24046:f22d67e45739a8712f7edadac81f3fd5
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://run.gibnetmaster.com/download/dialer/eu_cax.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} - http://gamingzone.ubisoft.com/packages/GSManager.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} -
http://download.abetterinternet.com/dow ... valent.cab
O16 - DPF: {42F2D240-B23C-11D6-8C73-70A05DC10000} - http://www.pcganes.com/games/pcganes.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://by20fd.bay20.hotmail.msn.com/res ... nPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
http://software-dl.real.com/21fd8dfda53 ... xIE601.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} - http://212.145.159.194/251065/dialercab ... endada.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} -
http://bis.180solutions.com/ActiveXInst ... taller.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} -
http://secure2.comned.com/signuptemplat ... curity.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-gb/gb/games22.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP ... dge-c9.cab
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.16/comload.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} - http://217.145.76.16/nslite/nslite.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {B57186EE-4B90-405B-BC76-6F73545DA48D} - http://ads.dealhelper.com/updates/DealHelper.cab
O16 - DPF: {BB0578ED-E672-4697-9663-EC5A0460B949} - http://downloads.searchcentrix.com/install/weblz.CAB
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - http://directplugin.com/tl4000.dll
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.aimphuck.com/Imbum_bw.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSECS.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} -
https://www-secure.symantec.com/region/ ... veData.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) -
http://www.sponsoradulto.com/es/SysWebTelecom.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://www.real-euros.com/EPlugin_GB.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -
http://messenger.zone.msn.com/binary/So ... b30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CFE36437-9CC0-489E-BC71-FA81FF00BE6E}: NameServer = 194.72.9.38 194.74.65.68
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


This is my logfile, I know its embarrasing and everything but please help me.

Thanks :) 8)

(Edit by ChrisRLG to try to stop horizontal scrolling)
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm
Advertisement
Register to Remove

Unread postby ChrisRLG » March 9th, 2005, 8:38 pm

Hi and welcome.

No its not embarrasing - we have this sort of thing all the time.

Go to Add/Remove programs and remove(uninstall) the following, if present:

Messenger Plus! 3
MessengerPlus
NavExcel Search Toolbar
NavHelper
Web Rebates

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Download LSPFix and unzip to your desktop, then run it. Now, we need to:

1. check(tick) "I know what i'm doing".
2. click on (highlight) each occurance of the following, one at a time:

inetadpt.dll

3. then click ">>", moving each one, individually, to the 'Remove' pane.
4. (double-check, and make sure that only the above files are in the 'Remove'pane.)
5. click "Finish >>"


===============

Let's download the Symantec VirtuMundo removal tool, and run it.

===============

Next, we need to remove(uninstall) the 'lop' infection by going to here, then downloading and running the uninstaller(s) that relate to the application(s) your wanting to remove. The following selections are available: "Start page", "Search engine", "Accessories Toolbar".

After uninstalling any (or all) of the above, let's see if we have anything in "Scheduled Tasks":

Download, unzip and run ScheduledTasks.bat (courtesy of ddeerrff), and when notepad comes up, post the contents back to this thread.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u NavExcelBar.dll
regsvr32 /u AlxTB1.dll
regsvr32 /u msbe.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Before we begin, let's move HiJackThis to it's own folder; like c:\HJT. When we're done 'cleaning' off your system, we're going to 'flush' the temporary folders which, with HiJackThis in it's current location, we'll lose both the program and the backups it creates. These backups are important in case we need to restore any 'fixed' entry(s) later.

Also move the "Backups" folder, for HiJackThis, if present.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jxunfqljlcadckk.biz/4QfNW8Ka ... b4ogL.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fxawlrwetoz.com/4QfNW8KaHX95 ... TKwas.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.blazefind.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

O1 - Hosts: 216.93.168.167 sitefinder.verisign.com

O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - (no file)
O2 - BHO: (no name) - {C8BCCDC2-E909-631D-C6E8-C194C0A12EAD} - C:\DOCUME~1\BENMAW~1\APPLIC~1\slowbags\list mail.exe
O2 - BHO: (no name) - {C97F008A-B420-42EC-A3E0-9592E3ECEE19} - (no file)
O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\RECYCLER\S-1-5-21-3864690065-1469118265-1252323205-1009\Dc39\NavExcelBar.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\system32\AlxTB1.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - (no file)

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O3 - Toolbar: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\RECYCLER\S-1-5-21-3864690065-1469118265-1252323205-1009\Dc39\NavExcelBar.dll

O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [does meal grid poll] C:\Documents and Settings\All Users\Application Data\bendseconddoesmeal\bind lies.exe
O4 - HKCU\..\Run: [winlogon] c:\windows\winlogon.exe
O4 - HKCU\..\Run: [drive shim] C:\DOCUME~1\BENMAW~1\APPLIC~1\FLAWBI~1\Atom Show.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

O16 - DPF: IEEnhancer - http://64.69.90.233/adlapp/IEPackage.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file. ... dac81f3fd5
O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} - http://run.gibnetmaster.com/download/dialer/eu_cax.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/dow ... valent.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/21fd8dfda53 ... xIE601.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} - http://212.145.159.194/251065/dialercab ... endada.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} - http://bis.180solutions.com/ActiveXInst ... taller.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP ... dge-c9.cab
O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.16/comload.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {A0F0D762-D1DE-43AF-B70E-D87864743EB3} - http://217.145.76.16/nslite/nslite.cab
O16 - DPF: {B57186EE-4B90-405B-BC76-6F73545DA48D} - http://ads.dealhelper.com/updates/DealHelper.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.aimphuck.com/Imbum_bw.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/budicon.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSECS.cab

Plus any other O16 lines for sites/programs you no longer use

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\Program Files\NavExcel
C:\Program Files\Messenger Plus! 3
C:\Program Files\Ares
C:\DOCUME~1\BENMAW~1\APPLIC~1\FLAWBI~1
C:\Documents and Settings\All Users\Application Data\bendseconddoesmeal\

files...

C:\DOCUME~1\BENMAW~1\APPLIC~1\slowbags\list mail.exe
C:\WINDOWS\system32\AlxTB1.dll
C:\WINDOWS\system32\msbe.dll
C:\WINDOWS\.exe
c:\windows\winlogon.exe
c:\windows\system32\inetadpt.dll

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log, and let me know how everything goes.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Mobey » March 9th, 2005, 8:43 pm

Thank you very much :) I shall do that now.
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm

Unread postby Mobey » March 9th, 2005, 9:01 pm

These are my scheduled tasks :)

Volume in drive C has no label.
Volume Serial Number is C819-85A9

Directory of c:\windows\tasks

10/03/2005 00:54 <DIR> .
10/03/2005 00:54 <DIR> ..
10/03/2005 01:00 266 AFFC64DB91841617.job
29/08/2002 04:00 65 DESKTOP.INI
04/03/2005 20:00 490 Norton AntiVirus - Scan my computer.job
04/03/2005 17:30 306 Norton SystemWorks One Button Checkup.job
09/03/2005 16:25 6 SA.DAT
10/03/2005 01:27 390 Symantec NetDetect.job
6 File(s) 1,523 bytes
2 Dir(s) 58,793,758,720 bytes free
--
A H C:\windows\tasks\AFFC64DB91841617.job
HR C:\windows\tasks\DESKTOP.INI
A C:\windows\tasks\Norton AntiVirus - Scan my computer.job
A C:\windows\tasks\Norton SystemWorks One Button Checkup.job
A H C:\windows\tasks\SA.DAT
A C:\windows\tasks\Symantec NetDetect.job
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm

Unread postby ChrisRLG » March 10th, 2005, 5:13 am

Can I have a new hijackthis log too please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Mobey » March 10th, 2005, 9:01 am

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe

I can't find those two files? :o
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm

Unread postby ChrisRLG » March 10th, 2005, 9:22 am

carry on with the fix - just miss that part out - and post back witha new hijackthis log please.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

PROBLEM WITH MY PC

Unread postby Mobey » March 11th, 2005, 5:18 am

:cry:

It can connect to the internet and then not display any websites, it is going as slow as the traffic in London rush-hour. If your foreign or don't understand my comparasin, you log on it takes 20 secs then logging into my identity that takes less that 20 secs and then when you click on a program that you want it takes five or ten minutes to load up.
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm

Unread postby ChrisRLG » March 11th, 2005, 5:31 am

I think you better post back with a new hijackthis log.

Please confirm if you are on dialup or DSL/Cable when you do.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Mobey » March 11th, 2005, 7:32 am

I have deleted the program, hijack this to see if that fixed it but I'm on Broadband at 576kbs.

I don't know is it possible that the Hijack this thought there was a few problem like the Firewall and knocked them off because I've tried to get the fireall back online.
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm

Unread postby ChrisRLG » March 11th, 2005, 7:49 am

HJT is mostly a diagnostic program - it just reports what it sees.

The only time it 'does' anything is when you 'fix' having checked the lines you wish to have fixed.

So no it was not possible for it to harm your firewall unless the firewall lines had been fixed manually.

Please give me that new HJT log so I can see what is going on.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Mobey » March 11th, 2005, 9:51 am

Ok I will do, but I'll see what I can find in the way of the new log but it will probably won't be posted till Monday or something.

What should I do, is it possible that when I ran the spyware checker or downloaded one of the things or went to one of the things it allowed spyware to come into my system?! :?
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm

Unread postby ChrisRLG » March 11th, 2005, 9:55 am

Its very possible that one malware will leave a 'back door' open for other malware to get in yes. They are also known to stop firewalls and other anti-malware programs from running.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Mobey » March 12th, 2005, 3:33 pm

:?

Ok, my firewall has been knocked off as well and stuff also the CPU is running at 100% all the time.
Mobey
Active Member
 
Posts: 8
Joined: March 9th, 2005, 7:56 pm

Unread postby ChrisRLG » March 12th, 2005, 4:15 pm

Mobey

Without a hijackthis log, I cannot advise you with anything.

From taskmanager can you see which processes are using the system. That might help.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware