|
Donations |
|
|
|
|
|
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
|
|
View previous topic :: View next topic |
Author |
Message |
viskiee
Private
Premium Member
Joined: Apr 10, 2004
Posts: 45
Location: USA
|
Posted: Sun May 30, 2004 6:03 pm Post subject: My notebook is hosed.... please read my log... |
|
|
Dell Celeron
Windows xp
Do you need anything else?
Thanks
Viskiee
Logfile of HijackThis v1.97.7
Scan saved at 6:00:18 PM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\dskmgr32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\ziploader.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\aolwbspd.exe
C:\Documents and Settings\JAMES R MCCOY\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us/1524/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dedeomb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dedeomb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us/1524/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1524/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dedeomb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1524/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dedeomb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dedeomb.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us/1524/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us/1524/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dedeomb.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = "C:\Program Files\Outlook Express\msimn.exe"
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1524/
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us/1524/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D86BD809-A488-43AB-82F1-01BE0081C721} - C:\WINDOWS\System32\dedeomb.dll (file missing)
O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [dskmgr32] C:\WINDOWS\System32\dskmgr32.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .kar: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O13 - DefaultPrefix: http://www.nkvd.us/1524/
O13 - WWW Prefix: http://www.nkvd.us/1524/
O13 - Home Prefix: http://www.nkvd.us/1524/
O13 - Mosaic Prefix: http://www.nkvd.us/1524/
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/share...insctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/share...cgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC9EE6C3-1F61-47D0-AAC6-21F07A0C4967}: NameServer = 205.188.146.146 |
|
Back to top |
|
|
helpless
1st Responder
Joined: Jan 29, 2004
Posts: 718
Location: Belgium
|
Posted: Thu Jun 03, 2004 2:08 pm Post subject: |
|
|
hollala, FIRST thing you need to run on your pc is CWShredder
Download CWShredder from http://www.computercops.biz/downloads-file-349.html update it.
Close ALL other programs & windows, including IE, before running CWShredder.
Select the fix button & it will get rid of everything related to CoolWebSearch.
Reboot
then rerun HiJack and mark the below to be fixed as it is a dailer
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://63.217.29.115/cax.cab
also all the entries with "(obfuscated)" at the end
reboot in safe mode and rename the file
C:\WINDOWS\System32\dedeomb.dll to OLDdedeomb.dll
then there is one i dont trust , do you know it ?
O4 - HKLM\..\Run: [dskmgr32] C:\WINDOWS\System32\dskmgr32.exe
and post a fresh log afterwards
cu
_________________
Learning everyday something new.
-----------------------------------------
There are always 2 correct answers, the "Microsoft correct answer" and "answers that work" |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8a © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|