|
|
|Jack
Unregistered
|
|
Logfile of HijackThis v1.95.1
Scan saved at 07:32:09 PM, on 18/07/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\RAPIDBLASTER\RB32.EXE
C:\WINDOWS\SYSTEM\WIN32GB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\TWAIN_32\A4S2_32\WATCH.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\SWTRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\TESCONET\TESCONET.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.noblindlinks.com/sp.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=129193
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tesco.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129193
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search.xrenoder.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.noblindlinks.com/
F1 - win.ini: run=hpfsched
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRA~1\PLUS!\Viruscan\VSHWIN32.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [cursor] "C:\Program Files\Screendragon VS3\Screendragon VS3 Taskbar.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [win32gb] c:\windows\system\win32gb.exe /noconnect
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRA~1\PLUS!\Viruscan\VSHWIN32.EXE /NoSplash
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_32\WATCH.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: SwTray.lnk = C:\Program Files\Microsoft Hardware\Game Controllers\SWTRAY.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\creatacard\gold\FMRMD32.EXE
O4 - Startup: AOL Tray Icon.lnk = C:\WINDOWS\HWINFO.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://dialers.netcollex.net/l220854.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {4E544C53-6967-6E02-BBAD-233AD71832A8} (NTLSignup1 Class) - https://tesco.autoregister.net/tesco/NTLSignup.cab
|
|
putasolutions
regular
Reg'd: Tue
Posts: 12469
Loc: Infinity and beyond
|
|
You have managed to pick up a rather virulent form of spyware called rapidblaster, probbably when you installed screendragon.
First I would like you to close screen dragon, go to Add/remove programs in Control Panel and then remove Screen dragon, because it won't work after everything else you are about to do
This is the direct link to an application called rbkiller
Download and run it
When you have done that
Rerun Hijack This and put a check in the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.noblindlinks.com/sp.shtml
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=129193
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129193
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search.xrenoder.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = http://www.noblindlinks.com/
O1 - Hosts: 193.125.201.50 msn.com
O1 - Hosts: 193.125.201.50 search.msn.com
O1 - Hosts: 193.125.201.50 auto.search.msn.com
O1 - Hosts: 193.125.201.50 ie.search.msn.com
O1 - Hosts: 193.125.201.46 thehun.net
O1 - Hosts: 193.125.201.46 www.thehun.net
O1 - Hosts: 193.125.201.46 thehun.com
O1 - Hosts: 193.125.201.46 www.thehun.com
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [cursor] "C:\Program Files\Screendragon VS3\Screendragon VS3 Taskbar.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\RapidBlaster\rb32.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [win32gb] c:\windows\system\win32gb.exe /noconnect
O4 - Startup: CreataCard Gold 2 Forget Me Not Reminders.lnk = C:\Program Files\creatacard\gold\FMRMD32.EXE
OO16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://dialers.netcollex.net/l220854.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
and click Fix Checked
Restart your computer
Go to Start | Search | For Files and Folders
Type in Rapid Blaster
You should find a folder called Rapid Blaster in c:\Program Files
Right Click it and delete it
Rerun your Hijack This and post your NEW log here so I can check that it has all been removed
Of all the Things I've lost, I miss my mind the most
|
Jack
Unregistered
|
|
Dear Mr "putasolutions you are a marvel. I will do what you ask but my wife is calling me, we are going to the theatre, but will contnue tomorow, thanks. Jack
|
jack
regular
Reg'd: Sat
Posts: 36
Loc: devon
|
|
Mr putasolutions, I'm sorry to be so long in answering, i'ts kind of you to help me, I appreciate it. I'v had a bit of an emergency here, my daughter just had an operation, she's O K now.
I'm having trouble transfering your instructions to "Hijack". I've made a copy in "notepad" and put your instructions in it, How do I get it ot "Hijack" I'm sorry to be so dim. Jack
|
putasolutions
regular
Reg'd: Tue
Posts: 12469
Loc: Infinity and beyond
|
|
To be honest, your daughters health is FAR more important than any machine, so there is absolutely no need to apologise.
Have a look at this page on how to obtain your hijack log
Of all the Things I've lost, I miss my mind the most
|
putasolutions
regular
Reg'd: Tue
Posts: 12469
Loc: Infinity and beyond
|
|
Logfile of HijackThis v1.95.1
Scan saved at 07:07:05 PM, on 20/07/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WIN32GB.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\TWAIN_32\A4S2_32\WATCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\SWTRAY.EXE
C:\PROGRAM FILES\TESCONET\TESCONET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.web-user.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRA~1\PLUS!\Viruscan\VSHWIN32.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreateCD50] "c:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRA~1\PLUS!\Viruscan\VSHWIN32.EXE /NoSplash
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4S2_32\WATCH.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: SwTray.lnk = C:\Program Files\Microsoft Hardware\Game Controllers\SWTRAY.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: AOL Tray Icon.lnk = C:\WINDOWS\HWINFO.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E544C53-6967-6E02-BBAD-233AD71832A8} (NTLSignup1 Class) - https://tesco.autoregister.net/tesco/NTLSignup.cab
Of all the Things I've lost, I miss my mind the most
|
|
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
