|
|
|
XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Showing all messages in thread #1075726857
Windows XP Annoyances Discussion Forum
The following are all of the messages in this thread (11 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
|
XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 5:00 am
Posted by iDiOt
(9 messages posted)
Can someone help me out? I have just today recieved the xxx server dialup. It attempted
to try and dial out to the number 5551212. I want to make
sure though that this and all spyware/adware is off this laptop.
I am not the best at this sort of thing so any help would be appreciated. I have
read previous posts on this subject and they suggest downloading
and installing SpyBot Search and Destroy. Ive done this and checked and downloaded
all available updates. Then I deleted all temporary internet
files and cookies along with history.
I should point out I am on winXP. I didnt delete all *.tmp files as one person on
a previous thread suggested because he was instructing someone
with Win98. Should I do the same? Should I empty the contents of the C:\Windows\temp
folder and C:\temp folder? Will that do any damage?
Anyway another thing he mentioned was posting a "hijack This Log". I am not sure
what that is but I have provided below a clipboard paste from
SpyBot after I ran it. I have taken no action in removing anything as I am waiting
for some advice from you helpful people. Please help! Thanks in
advance.
Please explain in simple terms as I am not a massively techie guy. Thanks again.
CDilla: Program directory (Directory, nothing done)
c:\C_DILLA
ClearSearch.Net: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClrSchLoader
ClearSearch.Net: Program file (File, nothing done)
C:\Program Files\ClearSearch\Loader.exe
DyFuCA: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\FCI
DyFuCA: Library (File, nothing done)
C:\WINDOWS\nem214.dll
DyFuCA.InternetOptimizer: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Avenue Media
DyFuCA.InternetOptimizer: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Avenue Media
IGetNet: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper
Objects\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}
ShopAtHome: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAHAgent
ShopAtHome: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\WEBInstaller.execute.1
ShopAtHome: Class (Registry key, nothing done)
HKEY_CLASSES_ROOT\WEBInstaller.execute
ShopAtHome: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}
ShopAtHome: Data file (File, nothing done)
C:\WINDOWS\System32\vg.dat
ShopAtHome: Executable (File, nothing done)
C:\WINDOWS\Downloaded Program Files\SAHDownloader_.exe
ShopAtHome: Global settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\VGroup\SAHAgent
ShopAtHome: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{4E570F74-DEEE-4FCF-B960-FEEFA4B8C6FC}
ShopAtHome: Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{4828C95F-C5DB-4AB6-A945-8D8EC44B98A8}
ShopAtHome: Library (File, nothing done)
C:\WINDOWS\System32\lsp.dll
ShopAtHome: Typelib (Registry key, nothing done)
HKEY_CLASSES_ROOT\Typelib\{CDE442A3-DC2C-467E-A311-B4BC775D86C5}
VX2/?: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Destiny
VX2/h.ABetterInternet: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper
Objects\{000006B1-19B5-414A-849F-2A3C64AE6939}
VX2/h.ABetterInternet: Executable (File, nothing done)
C:\WINDOWS\biprep.exe
VX2/h.ABetterInternet: Uninstall settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dbi
Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Microsoft\MediaPlayer\Player\Settings\Client
ID=
--- Spybot-S&D version: 1.2 ---
2003-11-05 Includes\Cookies.sbi
2003-10-27 Includes\Dialer.sbi
2003-12-17 Includes\Hijackers.sbi
2003-11-11 Includes\Keyloggers.sbi
2003-12-17 Includes\Malware.sbi
2003-03-16 Includes\plugin-ignore.ini
2003-11-05 Includes\Security.sbi
2003-12-17 Includes\Spybots.sbi
2003-03-16 Includes\Temporary.sbi
2003-11-27 Includes\Tracks.uti
2003-12-10 Includes\Trojans.sbi
[Reply or follow-up to this message]
| |
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 5:04 am
Posted by Rich
(326 messages posted)
Please go to this link ,read the tuturial and download Hijackthis.
http://www.mjc1.com/mirror/hjt/
Do not fix anything yet. Most items are harmless and necessary for windows.
Post your hijackthis log here.
Be sure to preserve spacing.
On Monday, February 2, 2004 at 5:00 am, Kevin wrote:
>Can someone help me out? I have just today recieved the xxx server dialup. It attempted
>to try and dial out to the number 5551212. I want to make
>
>sure though that this and all spyware/adware is off this laptop.
>
>I am not the best at this sort of thing so any help would be appreciated. I have
>read previous posts on this subject and they suggest downloading
>
>and installing SpyBot Search and Destroy. Ive done this and checked and downloaded
>all available updates. Then I deleted all temporary internet
>
>files and cookies along with history.
>
>I should point out I am on winXP. I didnt delete all *.tmp files as one person
on
>a previous thread suggested because he was instructing someone
>
>with Win98. Should I do the same? Should I empty the contents of the C:\Windows\temp
>folder and C:\temp folder? Will that do any damage?
>
>Anyway another thing he mentioned was posting a "hijack This Log". I am not sure
>what that is but I have provided below a clipboard paste from
>
>SpyBot after I ran it. I have taken no action in removing anything as I am waiting
>for some advice from you helpful people. Please help! Thanks in
>
>advance.
>
>Please explain in simple terms as I am not a massively techie guy. Thanks again.
>
>CDilla: Program directory (Directory, nothing done)
> c:\C_DILLA
>
>ClearSearch.Net: Autorun settings (Registry value, nothing done)
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClrSchLoader
>
>ClearSearch.Net: Program file (File, nothing done)
> C:\Program Files\ClearSearch\Loader.exe
>
>DyFuCA: Global settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\FCI
>
>DyFuCA: Library (File, nothing done)
> C:\WINDOWS\nem214.dll
>
>DyFuCA.InternetOptimizer: Global settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\Avenue Media
>
>DyFuCA.InternetOptimizer: User settings (Registry key, nothing done)
> HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Avenue Media
>
>IGetNet: Browser helper object (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper
>Objects\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}
>
>ShopAtHome: Autorun settings (Registry value, nothing done)
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAHAgent
>
>ShopAtHome: Class (Registry key, nothing done)
> HKEY_CLASSES_ROOT\WEBInstaller.execute.1
>
>ShopAtHome: Class (Registry key, nothing done)
> HKEY_CLASSES_ROOT\WEBInstaller.execute
>
>ShopAtHome: Class ID (Registry key, nothing done)
> HKEY_CLASSES_ROOT\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}
>
>ShopAtHome: Data file (File, nothing done)
> C:\WINDOWS\System32\vg.dat
>
>ShopAtHome: Executable (File, nothing done)
> C:\WINDOWS\Downloaded Program Files\SAHDownloader_.exe
>
>ShopAtHome: Global settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\VGroup\SAHAgent
>
>ShopAtHome: Interface (Registry key, nothing done)
> HKEY_CLASSES_ROOT\Interface\{4E570F74-DEEE-4FCF-B960-FEEFA4B8C6FC}
>
>ShopAtHome: Interface (Registry key, nothing done)
> HKEY_CLASSES_ROOT\Interface\{4828C95F-C5DB-4AB6-A945-8D8EC44B98A8}
>
>ShopAtHome: Library (File, nothing done)
> C:\WINDOWS\System32\lsp.dll
>
>ShopAtHome: Typelib (Registry key, nothing done)
> HKEY_CLASSES_ROOT\Typelib\{CDE442A3-DC2C-467E-A311-B4BC775D86C5}
>
>VX2/?: User settings (Registry key, nothing done)
> HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Destiny
>
>VX2/h.ABetterInternet: Browser helper object (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper
>Objects\{000006B1-19B5-414A-849F-2A3C64AE6939}
>
>VX2/h.ABetterInternet: Executable (File, nothing done)
> C:\WINDOWS\biprep.exe
>
>VX2/h.ABetterInternet: Uninstall settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dbi
>
>Windows Media Player: Client ID (Registry change, nothing done)
> HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Microsoft\MediaPlayer\Player\Settings\Client
>ID=
>
>
>--- Spybot-S&D version: 1.2 ---
>2003-11-05 Includes\Cookies.sbi
>2003-10-27 Includes\Dialer.sbi
>2003-12-17 Includes\Hijackers.sbi
>2003-11-11 Includes\Keyloggers.sbi
>2003-12-17 Includes\Malware.sbi
>2003-03-16 Includes\plugin-ignore.ini
>2003-11-05 Includes\Security.sbi
>2003-12-17 Includes\Spybots.sbi
>2003-03-16 Includes\Temporary.sbi
>2003-11-27 Includes\Tracks.uti
>2003-12-10 Includes\Trojans.sbi
>
>
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 5:14 am
Posted by iDiOt
(9 messages posted)
Ok I got hijack this and this is what it says. Hope this helps. Thanks for help so
far. Very much appreciated.
Logfile of HijackThis v1.97.7
Scan saved at 13:11:17, on 02/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\ClearSearch\Loader.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\FlashGet\flashget.exe
C:\Documents and Settings\Kevin.KEVINS-MACHINE\My Documents\Installation Files\Hijack
This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet
Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
= http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton
AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [DadApp] "C:\Program Files\Dell\AccessDirect\dadapp.exe"
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] "carpserv.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATIModeChange] "Ati2mdxx.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe
Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: DigiChat Applet - http://host4.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.4123842593
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2A4D7E5-046A-4DAD-9442-61517983B6E9}: NameServer
= 195.92.195.95 195.92.195.94
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 5:24 am
Posted by jaf
(3396 messages posted)
Rich's advice wasn't very good. Let Spybot fix immediate threats first. You may
not need hijack this yet. Why confuse matters?
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 5:30 am
Posted by Sabaa
(7 messages posted)
Post you log from Hijack This at Computer Cops; http://www.computercops.biz/postt911.html,
and professionals will give you step by step instructions and the service is free.
A faster and easier way to correct this problem, if you are using Windows XP is to
just do a system restore to a date prior to your browser being hijacked.
On Monday, February 2, 2004 at 5:04 am, Rich wrote:
>Please go to this link ,read the tuturial and download Hijackthis.
>http://www.mjc1.com/mirror/hjt/
>
>Do not fix anything yet. Most items are harmless and necessary for windows.
>
>Post your hijackthis log here.
>Be sure to preserve spacing.
>
>
>
>
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 5:57 am
Posted by mojo7819
(5744 messages posted)
In addition to Spybot S&D, Try these other tools:
Download, install, UPDATE, and run:
Ad-Aware 6.0
SpywareGuard
Download and install:
Google Toolbar & activate
the pop-up blocker.
Download and run:
CWShredder
Make sure they are updated before running.
Don't worry about HijackThis until you have run all of these. These tools will automatically
clean up most of the problems, as well as help to prevent further attacks. After
these have all been run, you can post a HijickThis log if you wish. It should be
pretty clean by that time.
On Monday, February 2, 2004 at 5:00 am, Kevin wrote:
>Can someone help me out? I have just today recieved the xxx server dialup. It attempted
>to try and dial out to the number 5551212. I want to make
>
>sure though that this and all spyware/adware is off this laptop.
>
>I am not the best at this sort of thing so any help would be appreciated. I have
>read previous posts on this subject and they suggest downloading
>
>and installing SpyBot Search and Destroy. Ive done this and checked and downloaded
>all available updates. Then I deleted all temporary internet
>
>files and cookies along with history.
>
>I should point out I am on winXP. I didnt delete all *.tmp files as one person
on
>a previous thread suggested because he was instructing someone
>
>with Win98. Should I do the same? Should I empty the contents of the C:\Windows\temp
>folder and C:\temp folder? Will that do any damage?
>
>Anyway another thing he mentioned was posting a "hijack This Log". I am not sure
>what that is but I have provided below a clipboard paste from
>
>SpyBot after I ran it. I have taken no action in removing anything as I am waiting
>for some advice from you helpful people. Please help! Thanks in
>
>advance.
>
>Please explain in simple terms as I am not a massively techie guy. Thanks again.
>
>CDilla: Program directory (Directory, nothing done)
> c:\C_DILLA
>
>ClearSearch.Net: Autorun settings (Registry value, nothing done)
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClrSchLoader
>
>ClearSearch.Net: Program file (File, nothing done)
> C:\Program Files\ClearSearch\Loader.exe
>
>DyFuCA: Global settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\FCI
>
>DyFuCA: Library (File, nothing done)
> C:\WINDOWS\nem214.dll
>
>DyFuCA.InternetOptimizer: Global settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\Avenue Media
>
>DyFuCA.InternetOptimizer: User settings (Registry key, nothing done)
> HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Avenue Media
>
>IGetNet: Browser helper object (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper
>Objects\{947E6D5A-4B9F-4CF4-91B3-562CA8D03313}
>
>ShopAtHome: Autorun settings (Registry value, nothing done)
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SAHAgent
>
>ShopAtHome: Class (Registry key, nothing done)
> HKEY_CLASSES_ROOT\WEBInstaller.execute.1
>
>ShopAtHome: Class (Registry key, nothing done)
> HKEY_CLASSES_ROOT\WEBInstaller.execute
>
>ShopAtHome: Class ID (Registry key, nothing done)
> HKEY_CLASSES_ROOT\CLSID\{30402FF4-3E71-4A1C-9B4B-1CD3486A9FB2}
>
>ShopAtHome: Data file (File, nothing done)
> C:\WINDOWS\System32\vg.dat
>
>ShopAtHome: Executable (File, nothing done)
> C:\WINDOWS\Downloaded Program Files\SAHDownloader_.exe
>
>ShopAtHome: Global settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\VGroup\SAHAgent
>
>ShopAtHome: Interface (Registry key, nothing done)
> HKEY_CLASSES_ROOT\Interface\{4E570F74-DEEE-4FCF-B960-FEEFA4B8C6FC}
>
>ShopAtHome: Interface (Registry key, nothing done)
> HKEY_CLASSES_ROOT\Interface\{4828C95F-C5DB-4AB6-A945-8D8EC44B98A8}
>
>ShopAtHome: Library (File, nothing done)
> C:\WINDOWS\System32\lsp.dll
>
>ShopAtHome: Typelib (Registry key, nothing done)
> HKEY_CLASSES_ROOT\Typelib\{CDE442A3-DC2C-467E-A311-B4BC775D86C5}
>
>VX2/?: User settings (Registry key, nothing done)
> HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Destiny
>
>VX2/h.ABetterInternet: Browser helper object (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser
Helper
>Objects\{000006B1-19B5-414A-849F-2A3C64AE6939}
>
>VX2/h.ABetterInternet: Executable (File, nothing done)
> C:\WINDOWS\biprep.exe
>
>VX2/h.ABetterInternet: Uninstall settings (Registry key, nothing done)
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dbi
>
>Windows Media Player: Client ID (Registry change, nothing done)
> HKEY_USERS\S-1-5-21-2000478354-813497703-854245398-1003\Software\Microsoft\MediaPlayer\Player\Settings\Client
>ID=
>
>
>--- Spybot-S&D version: 1.2 ---
>2003-11-05 Includes\Cookies.sbi
>2003-10-27 Includes\Dialer.sbi
>2003-12-17 Includes\Hijackers.sbi
>2003-11-11 Includes\Keyloggers.sbi
>2003-12-17 Includes\Malware.sbi
>2003-03-16 Includes\plugin-ignore.ini
>2003-11-05 Includes\Security.sbi
>2003-12-17 Includes\Spybots.sbi
>2003-03-16 Includes\Temporary.sbi
>2003-11-27 Includes\Tracks.uti
>2003-12-10 Includes\Trojans.sbi
>
>
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 7:06 am
Posted by Rich
(326 messages posted)
If you read his post closer he already ran spybot.
On Monday, February 2, 2004 at 5:24 am, jaf wrote:
>Rich's advice wasn't very good. Let Spybot fix immediate threats first. You may
>not need hijack this yet. Why confuse matters?
>
>
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 7:07 am
Posted by Rich
(326 messages posted)
First please move Hijackthis out of the temp directory (extract from zip)into a permanent
folder. Example:
c:\program files\hijackthis\hijackthis.exe
This will allow backups to be made and saved By hijackthis in case something goes
wrong.
Please close all windows, internet explorers and check mark the following items only
in Hijackthis. [B]
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
[/B]Click the fix button. Close hijackthis.
Reboot and show hidden files and folders per the link in my signature.
Please delete the following files or folders.
Files:[B]
C:\WINDOWS\System32\SahAgent.exe
[/B]Folders:[B]
C:\Program Files\ClearSearch\
[/B]Run a new log and post it here
On Monday, February 2, 2004 at 5:14 am, Kevin wrote:
>Ok I got hijack this and this is what it says. Hope this helps. Thanks for help
so
>far. Very much appreciated.
>Logfile of HijackThis v1.97.7
>Scan saved at 13:11:17, on 02/02/2004
>Platform: Windows XP SP1 (WinNT 5.01.2600)
>MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
>Running processes:
>C:\WINDOWS\System32\smss.exe
>C:\WINDOWS\system32\winlogon.exe
>C:\WINDOWS\system32\services.exe
>C:\WINDOWS\system32\lsass.exe
>C:\WINDOWS\system32\svchost.exe
>C:\WINDOWS\System32\svchost.exe
>C:\WINDOWS\system32\LEXBCES.EXE
>C:\WINDOWS\system32\spoolsv.exe
>C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
>C:\WINDOWS\system32\LEXPPS.EXE
>C:\WINDOWS\Explorer.EXE
>C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
>C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
>C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
>C:\Program Files\Dell\AccessDirect\dadapp.exe
>C:\Program Files\ClearSearch\Loader.exe
>C:\Program Files\Common Files\Symantec Shared\ccApp.exe
>C:\WINDOWS\System32\carpserv.exe
>C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
>C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
>C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
>C:\freeserve\freeserveconnectionkit\atdialler1.exe
>C:\WINDOWS\System32\Ati2evxx.exe
>C:\WINDOWS\System32\inetsrv\inetinfo.exe
>C:\Program Files\Norton AntiVirus\navapsvc.exe
>C:\WINDOWS\System32\svchost.exe
>C:\Program Files\Internet Explorer\IEXPLORE.EXE
>C:\PROGRA~1\FlashGet\flashget.exe
>C:\Documents and Settings\Kevin.KEVINS-MACHINE\My Documents\Installation Files\Hijack
>This\HijackThis.exe
>
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet
>Explorer provided by Freeserve
>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
>= http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
>O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
>O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
>O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
>O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat
>6.0\Reader\ActiveX\AcroIEHelper.dll
>O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
>O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
>O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton
>AntiVirus\NavShExt.dll
>O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
>O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
>O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
>Files\Norton AntiVirus\NavShExt.dll
>O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
>O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
>O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
>O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
>O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
>O4 - HKLM\..\Run: [DadApp] "C:\Program Files\Dell\AccessDirect\dadapp.exe"
>O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
>O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
>O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
>O4 - HKLM\..\Run: [CARPService] "carpserv.exe"
>O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
>O4 - HKLM\..\Run: [ATIModeChange] "Ati2mdxx.exe"
>O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
>O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe
>Gamma Loader.exe
>O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
>O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
>O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop
>Messenger\8876480\Program\LDMConf.exe
>O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
>O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
>O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
>O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
>O9 - Extra button: Related (HKLM)
>O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
>O9 - Extra button: FlashGet (HKLM)
>O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
>O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
>O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
>O16 - DPF: DigiChat Applet - http://host4.digichat.com/DigiChat/DigiClasses/Client_IE.cab
>O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
>O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
>O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
>O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
>O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
>O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
>http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
>O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37887.4123842593
>O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
>O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
>O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
>O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
>O17 - HKLM\System\CCS\Services\Tcpip\..\{F2A4D7E5-046A-4DAD-9442-61517983B6E9}:
NameServer
>= 195.92.195.95 195.92.195.94
>
>
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 10:34 am
Posted by iDiOt
(9 messages posted)
Thanks everybody for your advice. Im gonna try out a few of these tips and get back
to you. Again all halp has been very much appreciated. Thank you.
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Monday, February 2, 2004 at 1:35 pm
Posted by jaf
(3396 messages posted)
You are the one that needs to read. And stop posting hijackthis instructions until
you do. It isn't a fixall for any post that has spy or hijack in it. His post asks
if he should remove what spybot found and was waiting to hear if he should. You
ignored that, I didn't.
On Monday, February 2, 2004 at 7:06 am, Rich wrote:
>
>If you read his post closer he already ran spybot.
>
>
[Reply or follow-up to this message]
|
re: XXX Server Dial Up - Adware/Spyware - hijack this log. Please HELP!
Tuesday, February 3, 2004 at 4:01 pm
Posted by Rich
(326 messages posted)
He DID run spybot as he posted the log. Spybot is not a fix all either. Hijackthis
is a good tool to see what is loading up and running.
On Monday, February 2, 2004 at 1:35 pm, jaf wrote:
>You are the one that needs to read. And stop posting hijackthis instructions until
>you do. It isn't a fixall for any post that has spy or hijack in it. His post
asks
>if he should remove what spybot found and was waiting to hear if he should. You
>ignored that, I didn't.
>
>
[Reply or follow-up to this message]
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows XP Discussion Forum
|
|
|
|
