| Diamond_Cutter |
| (new user ) |
| Mon Mar 08 2004 11:18 PM |
Hijack (Resolved)
|
First post here goes..
When typing in IE www.google.com up pops a box telling me the FBI know what iam up to etc
I have followed the instructions re Adaware so here is my report any help would be grateully received
Scan saved at 22:56:02, on 08/03/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\System32\mspmspsv.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\system32\ZoneLabs\minilog.exe
G:\WINNT\Explorer.EXE
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Tiscali\tkonnect\tkonnect.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\WINNT\system32\wuauclt.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.61.33.183 www.yahoo.com
O1 - Hosts: 69.61.33.183 yahoo.com
O1 - Hosts: 69.61.33.183 www.google.com
O1 - Hosts: 69.61.33.183 google.com
O1 - Hosts: 69.61.33.183 www.altavista.com
O1 - Hosts: 69.61.33.183 altavista.com
O1 - Hosts: 69.61.33.183 search.microsoft.com
O1 - Hosts: 69.61.33.183 www.search.com
O1 - Hosts: 69.61.33.183 search.com
O1 - Hosts: 69.61.33.183 www.teoma.com
O1 - Hosts: 69.61.33.183 teoma.com
O1 - Hosts: 69.61.33.183 www.alltheweb.com
O1 - Hosts: 69.61.33.183 alltheweb.com
O1 - Hosts: 69.61.33.183 www.wisenut.com
O1 - Hosts: 69.61.33.183 wisenut.com
O1 - Hosts: 69.61.33.183 www.dmoz.org
O1 - Hosts: 69.61.33.183 dmoz.org
O1 - Hosts: 69.61.33.183 www.excite.com
O1 - Hosts: 69.61.33.183 excite.com
O1 - Hosts: 69.61.33.183 www.lycos.com
O1 - Hosts: 69.61.33.183 lycos.com
O1 - Hosts: 69.61.33.183 www.hotbot.com
O1 - Hosts: 69.61.33.183 hotbot.com
O1 - Hosts: 69.61.33.183 www.casino.com
O1 - Hosts: 69.61.33.183 casino.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - G:\WINNT\fhfmm.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - G:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [websx] G:\Program Files\websx\int339890.exe -auto
O4 - HKCU\..\Run: [tkonnect] G:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [sws.exe] g:\program files\GlobalDialer\tonex00142\8282269.exe -remove
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Offline (HKLM)
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.tiscali.com
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (FHFMMObj Class) -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2&04.00.04.03&http://www.space.com/zoomview/baghdad_mar27.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37701.4937384259
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8D3E5F8-46E2-4E36-AA2E-F9D1A8B5B097}: NameServer = 212.74.114.193 212.74.112.66
Edited by putasolutions on 13/03/2004 11:23 (server time).
| bricat |
| (HijackThis Helper) |
| Mon Mar 08 2004 11:55 PM |
|
|
Re: Hijack
|
follow the instructions at the top of browser forum to run adaware and get rid of anything it finds, also spybot, delete anything in red. also go HERE and d/load and run coolwebshredder. after you have done this post another hijack this log.
My wife has a slight impediment in her speech. Every now and then she stops to breathe.
| Joe_London |
| (HijackThis Helper) |
| Tue Mar 09 2004 12:08 AM |
|
|
Re: Hijack
|
There appears to be a lot of undesirable stuff in that log Bricat. We'll have a go tomorrow perhaps following your instructions.
Joe.
I'd start a revolution, if I could get up in the morning
| bricat |
| (HijackThis Helper) |
| Tue Mar 09 2004 12:20 AM |
|
|
|
Re: Hijack
|
that was why i suggested adaware,spybot, and coolwebshredder. they should get rid of most of them . it will make it a lot easier to clean up.
My wife has a slight impediment in her speech. Every now and then she stops to breathe.
| greysts |
| (regular) |
| Tue Mar 09 2004 09:55 AM |
|
Re: Hijack
|
Can I also suggest that he downloads W2000 SP4 plus any critical updates.
| Diamond_Cutter |
| (new user ) |
| Tue Mar 09 2004 07:14 PM |
|
Re: Hijack
|
Thanks for your help so far,I have done as requested except w2000 sp4 as Iam not sure what that is.... here is the new log
Scan saved at 19:08:11, on 09/03/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\System32\mspmspsv.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\system32\ZoneLabs\minilog.exe
G:\WINNT\Explorer.EXE
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Tiscali\tkonnect\tkonnect.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.61.33.183 www.altavista.com
O1 - Hosts: 69.61.33.183 altavista.com
O1 - Hosts: 69.61.33.183 search.microsoft.com
O1 - Hosts: 69.61.33.183 www.search.com
O1 - Hosts: 69.61.33.183 search.com
O1 - Hosts: 69.61.33.183 www.teoma.com
O1 - Hosts: 69.61.33.183 teoma.com
O1 - Hosts: 69.61.33.183 www.alltheweb.com
O1 - Hosts: 69.61.33.183 alltheweb.com
O1 - Hosts: 69.61.33.183 www.wisenut.com
O1 - Hosts: 69.61.33.183 wisenut.com
O1 - Hosts: 69.61.33.183 www.dmoz.org
O1 - Hosts: 69.61.33.183 dmoz.org
O1 - Hosts: 69.61.33.183 www.excite.com
O1 - Hosts: 69.61.33.183 excite.com
O1 - Hosts: 69.61.33.183 www.lycos.com
O1 - Hosts: 69.61.33.183 lycos.com
O1 - Hosts: 69.61.33.183 www.hotbot.com
O1 - Hosts: 69.61.33.183 hotbot.com
O1 - Hosts: 69.61.33.183 www.casino.com
O1 - Hosts: 69.61.33.183 casino.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - G:\WINNT\fhfmm.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - G:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [websx] G:\Program Files\websx\int339890.exe -auto
O4 - HKCU\..\Run: [tkonnect] G:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [sws.exe] g:\program files\GlobalDialer\tonex00142\8282269.exe -remove
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Offline (HKLM)
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.tiscali.com
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (FHFMMObj Class) -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2&04.00.04.03&http://www.space.com/zoomview/baghdad_mar27.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37701.4937384259
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
When I try and run BPS spyware remover it says there are infected files then it freezes and therefore I cannot delete them.
Thanks again
| ourstanley |
| (regular) |
| Tue Mar 09 2004 07:17 PM |
|
|
Re: Hijack
|
Have you run Coolwebshredder ? Did it find Anything ?
XP Home-768MB-60GB-AMD 2400 -IE6-BT Broadband-500ml Stella.
...nothing's foolproof to a talented fool.
Edited by ourstanley on 09/03/2004 19:20 (server time).
| greysts |
| (regular) |
| Tue Mar 09 2004 07:40 PM |
|
Re: Hijack
|
I was referring to Windows 2000 Service Pack 4 which you can find here. You currently have Service Pack 3.
| Diamond_Cutter |
| (new user ) |
| Tue Mar 09 2004 09:17 PM |
|
Re: Hijack
|
I have run coolwebshredder it did not find anything ..but I have typed www.google.com
into IE and the redirect/pop up didnt!.. thats the good news when I typed in www.teoma.com up she came,I have now deleted the search engine from favourites but I reckon something is still in here !!
Thanks for your help again
I will run SP4 update tommorrow
| putasolutions |
| (regular) |
| Tue Mar 09 2004 09:20 PM |
|
|
Re: Hijack
|
Could you please post a fresh Hijack this log?
Please post your query to the boards as many hands make light work, and I'm not talking electricians! If your problem is solved, let us know so that others can learn.
| Diamond_Cutter |
| (new user ) |
| Tue Mar 09 2004 09:31 PM |
|
Re: Hijack
|
As requested new log...
Scan saved at 21:32:57, on 09/03/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
G:\WINNT\System32\smss.exe
G:\WINNT\system32\winlogon.exe
G:\WINNT\system32\services.exe
G:\WINNT\system32\lsass.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\system32\spoolsv.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\system32\regsvc.exe
G:\WINNT\system32\MSTask.exe
G:\WINNT\system32\stisvc.exe
G:\WINNT\system32\ZoneLabs\vsmon.exe
G:\WINNT\System32\WBEM\WinMgmt.exe
G:\WINNT\System32\mspmspsv.exe
G:\WINNT\system32\svchost.exe
G:\WINNT\System32\svchost.exe
G:\WINNT\system32\ZoneLabs\minilog.exe
G:\WINNT\Explorer.EXE
G:\Program Files\QuickTime\qttask.exe
G:\Program Files\Common Files\Real\Update_OB\realsched.exe
G:\Program Files\Tiscali\tkonnect\tkonnect.exe
G:\Program Files\MSN Messenger\msnmsgr.exe
G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
G:\PROGRA~1\Internet\icc\icc2000.exe
G:\Program Files\Internet\Tiscali_uk\tb.exe
G:\WINNT\system32\wuauclt.exe
G:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.61.33.183 www.altavista.com
O1 - Hosts: 69.61.33.183 altavista.com
O1 - Hosts: 69.61.33.183 search.microsoft.com
O1 - Hosts: 69.61.33.183 www.search.com
O1 - Hosts: 69.61.33.183 search.com
O1 - Hosts: 69.61.33.183 www.teoma.com
O1 - Hosts: 69.61.33.183 teoma.com
O1 - Hosts: 69.61.33.183 www.alltheweb.com
O1 - Hosts: 69.61.33.183 alltheweb.com
O1 - Hosts: 69.61.33.183 www.wisenut.com
O1 - Hosts: 69.61.33.183 wisenut.com
O1 - Hosts: 69.61.33.183 www.dmoz.org
O1 - Hosts: 69.61.33.183 dmoz.org
O1 - Hosts: 69.61.33.183 www.excite.com
O1 - Hosts: 69.61.33.183 excite.com
O1 - Hosts: 69.61.33.183 www.lycos.com
O1 - Hosts: 69.61.33.183 lycos.com
O1 - Hosts: 69.61.33.183 www.hotbot.com
O1 - Hosts: 69.61.33.183 hotbot.com
O1 - Hosts: 69.61.33.183 www.casino.com
O1 - Hosts: 69.61.33.183 casino.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - G:\WINNT\fhfmm.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - G:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINNT\system32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [websx] G:\Program Files\websx\int339890.exe -auto
O4 - HKCU\..\Run: [tkonnect] G:\Program Files\Tiscali\tkonnect\tkonnect.exe updatemode
O4 - HKCU\..\Run: [sws.exe] g:\program files\GlobalDialer\tonex00142\8282269.exe -remove
O4 - HKCU\..\Run: [msnmsgr] "G:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] G:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: ZoneAlarm Pro.lnk = G:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)
O9 - Extra button: Wallpaper (HKLM)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Offline (HKLM)
O12 - Plugin for .spop: G:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.tiscali.com
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (FHFMMObj Class) -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2&04.00.04.03&http://www.space.com/zoomview/baghdad_mar27.html
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37701.4937384259
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A8D3E5F8-46E2-4E36-AA2E-F9D1A8B5B097}: NameServer = 212.74.114.129 212.74.114.193
Keep me posted....
| bricat |
| (HijackThis Helper) |
| Tue Mar 09 2004 10:16 PM |
|
|
|
Re: Hijack
|
close all windows, rerun hijack this and put a tick beside these and CLICK FIX CHECKED.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://collections.inhost.info/detect/urgent.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.61.33.183 www.altavista.com
O1 - Hosts: 69.61.33.183 altavista.com
O1 - Hosts: 69.61.33.183 search.microsoft.com
O1 - Hosts: 69.61.33.183 www.search.com
O1 - Hosts: 69.61.33.183 search.com
O1 - Hosts: 69.61.33.183 www.teoma.com
O1 - Hosts: 69.61.33.183 teoma.com
O1 - Hosts: 69.61.33.183 www.alltheweb.com
O1 - Hosts: 69.61.33.183 alltheweb.com
O1 - Hosts: 69.61.33.183 www.wisenut.com
O1 - Hosts: 69.61.33.183 wisenut.com
O1 - Hosts: 69.61.33.183 www.dmoz.org
O1 - Hosts: 69.61.33.183 dmoz.org
O1 - Hosts: 69.61.33.183 www.excite.com
O1 - Hosts: 69.61.33.183 excite.com
O1 - Hosts: 69.61.33.183 www.lycos.com
O1 - Hosts: 69.61.33.183 lycos.com
O1 - Hosts: 69.61.33.183 www.hotbot.com
O1 - Hosts: 69.61.33.183 hotbot.com
O1 - Hosts: 69.61.33.183 www.casino.com
O1 - Hosts: 69.61.33.183 casino.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - G:\WINNT\fhfmm.dll (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - G:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - G:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - G:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "G:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [websx] G:\Program Files\websx\int339890.exe -auto
O4 - HKCU\..\Run: [sws.exe] g:\program files\GlobalDialer\tonex00142\8282269.exe -remove
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)
O9 - Extra button: Offline (HKLM)
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (FHFMMObj Class) -
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} (SysWebTelecom Class) - http://www.sponsoradulto.com/SysWebTelecom2.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
My wife has a slight impediment in her speech. Every now and then she stops to breathe.
| Joe_London |
| (HijackThis Helper) |
| Tue Mar 09 2004 10:48 PM |
|
|
|
Re: Hijack
|
I think you did a really good job there Bricat. I went through it myself but you got the same ones as me and then some. That should help it run a bit better.
Joe.
I'd start a revolution, if I could get up in the morning
| Diamond_Cutter |
| (new user ) |
| Fri Mar 12 2004 09:25 PM |
|
Re: Hijack
|
I have done as Bricat suggested and it has worked so thanks for all your help..also to Joe_London and putasolutions
| bricat |
| (HijackThis Helper) |
| Sat Mar 13 2004 10:49 AM |
|
|
|
Re: Hijack
|
glad it's sorted
My wife has a slight impediment in her speech. Every now and then she stops to breathe.