rrlover
join:2001-03-25
Marlborough, CT | @#&@$ Hijackers
I cant seem to get rid of this.
res://ncmkt.dll/index.html
does anyone know what this is and how to get rid of it. i used spybot and adaware with no change. |
|
habya
Premium
join:2003-05-29
Huntsville, AL
clubs:  | Start by reading up and following instructions here »Security »I think my computer is infected or hijacked. What should I do? |
|
rrlover
join:2001-03-25
Marlborough, CT | i followed the faq and i still get this search site. it also seems to reduce the effectiveness of popup blocker. is there anything else i can do. should i do a system restore?? |
|
habya
Premium
join:2003-05-29
Huntsville, AL
clubs:
| reply to rrlover
Well after running all the programs, Spybot, Ad-aware, CWShredder, Anti-virs and the like then you should probably download and run HijackThis and post a log here.
--
HABYA HABYA HABYA TEAR DOWN THE HEM STALKS EAT UP THE OLD MAN AND WOMAN AND CARRY OFF THE LITTLE GIRL MAY YOU DIE ALONE |
|
seqrets
Premium
join:2001-05-03
Nederland, TX
clubs: | reply to rrlover
If you folowed the FAQ, you would have posted a HJT log! |
|
rrlover
join:2001-03-25
Marlborough, CT
| sorry, here the log
Logfile of HijackThis v1.97.7
Scan saved at 8:46:38 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\addmt32.exe
C:\WINDOWS\system32\wingz.exe
C:\Documents and Settings\Marco\Desktop\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncmkt.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncmkt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ncmkt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {95959306-6D53-E376-B42A-64BFA4556181} - C:\WINDOWS\netcg32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [addmt32.exe] C:\WINDOWS\addmt32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: axscanner - »www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - »www.pestscan.com/scanner/axscann···time.cab
O16 - DPF: mscomctl - »www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - »download.pestpatrol.com/Download···cp71.cab
O16 - DPF: msvcr71 - »download.pestpatrol.com/Download···cr71.cab
O16 - DPF: ppctlcab - »www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Poker - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - »support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - »www.pqvalet.com/plugin/axversion···uick.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - »security2.norton.com/SSC/SharedC···niff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - »office.microsoft.com/officeupdat···opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - »neuro.vetmed.ufl.edu:4080/chat/d···chat.ocx
O16 - DPF: {43E1F2E4-C2BA-11D3-AC40-0050049804AB} (Update Class) - »207.245.26.119/dev/update.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - »office.microsoft.com/productupda···opuc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/265991c7d0775b9883···E601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - »office.microsoft.com/productupda···opuc.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - »us.games2.yimg.com/download.game···_0_1.ocx
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - »toolbar.google.com/data/en/deleo···eNav.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - »www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - »download.iwon.com/ct/pm3/iwonpm_···,2,5.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - »launch.gamespyarcade.com/softwar···unch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2001···an53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - »support.dell.com/us/en/systempro···fLcd.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···68055556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - »fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security2.norton.com/SSC/SharedC···absa.cab
O16 - DPF: {C3498BF0-2C07-43C8-99D0-434B038334A6} (VDLaunch Class) - »www.catharon.com/download/plugins/ievdl2.ocx
O16 - DPF: {C78AC153-1FB9-4198-986D-3613E49B152E} (ScanMe Class) - »download.microsoft.com/download/···edll.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - »carpoint.msn.com/components/ocx/···icer.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - »fdl.msn.com/public/investor/v10/investor.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - »ccon.madonion.com/global/msc.cab
thanks for the help |
|
rrlover
join:2001-03-25
Marlborough, CT
| --==***@@@ FIND-ALL' VERSION MODIFIED -6/05 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--
Mon 06/14/2004
09:21 PM
System Info:
Microsoft Windows XP [Version 5.1.2600]
C: "" (FC9B:F3DA) - FS:NTFS clusters:4k
Total: 40 007 729 152 [37G] - Free: 18 131 144 704 [17G]
*IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
*Notepad version :
5.1.2600.0 C:\WINDOWS\system32\notepad.exe
5.1.2600.0 C:\WINDOWS\notepad.exe
*Media Player version :
8.0.0.4487 C:\Program Files\Windows Media Player\wmplayer.exe
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q328970;Q324929;Q810847;Q813951;Q813489;Q330994;Q818529;Q822925;Q82 8750;Q824145;Q832894;Q837009;Q831167;
Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
Scanning for main Hijacker:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95959306-6D53-E376-B42A-64BFA4556181}]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"
REGEDIT4
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"
[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"
! REG.EXE VERSION 2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
*Security settings for 'Windows' key:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (»www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER
Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
� |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
 ·Comcast
| reply to rrlover
First create a new folder called C:\HijackThis, extract the HijackThis.exe file from the zip file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong.
Then check the following in HJT with all windows closed and remove them,
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncmkt.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncmkt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ncmkt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
O2 - BHO: (no name) - {95959306-6D53-E376-B42A-64BFA4556181} - C:\WINDOWS\netcg32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar1.dll (file missing)
Unless you know what this is-> {O4 - HKLM\..\Run: [addmt32.exe] C:\WINDOWS\addmt32.exe} Have HJT remove it, then when done reboot, navagate to {C:\WINDOWS\addmt32.exe} and remove it also.
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - »207.188.7.150/265991c7d0775b988315/net..
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - »www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - »download.iwon.com/ct/pm3/iwonpm_8_1,0,..
Reboot, rescan with HJT and post a fresh log here.
--
MIAMI DOLPHINS |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
1 edit | reply to rrlover
dllfix will not be necessary for this log.
Newer version may be necessary?
--
MIAMI DOLPHINS |
|
rrlover
join:2001-03-25
Marlborough, CT
| AHHHHHH
still cant get rid of this. hijackthis fixed it. i rebooted and it is still there.
Logfile of HijackThis v1.97.7
Scan saved at 9:35:49 PM, on 6/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wingz.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\addmt32.exe
C:\Documents and Settings\Marco\Desktop\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncmkt.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ncmkt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ncmkt.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ncmkt.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C75AEB7B-18DF-27AF-DBA3-059058EDCC2F} - C:\WINDOWS\system32\ntve.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [addmt32.exe] C:\WINDOWS\addmt32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: axscanner - »www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - »www.pestscan.com/scanner/axscann···time.cab
O16 - DPF: mscomctl - »www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - »download.pestpatrol.com/Download···cp71.cab
O16 - DPF: msvcr71 - »download.pestpatrol.com/Download···cr71.cab
O16 - DPF: ppctlcab - »www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Poker - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - »support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - »www.pqvalet.com/plugin/axversion···uick.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - »security2.norton.com/SSC/SharedC···niff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - »office.microsoft.com/officeupdat···opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - »neuro.vetmed.ufl.edu:4080/chat/d···chat.ocx
O16 - DPF: {43E1F2E4-C2BA-11D3-AC40-0050049804AB} (Update Class) - »207.245.26.119/dev/update.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - »office.microsoft.com/productupda···opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - »office.microsoft.com/productupda···opuc.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - »us.games2.yimg.com/download.game···_0_1.ocx
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - »toolbar.google.com/data/en/deleo···eNav.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - »launch.gamespyarcade.com/softwar···unch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2001···an53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - »support.dell.com/us/en/systempro···fLcd.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···68055556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - »fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security2.norton.com/SSC/SharedC···absa.cab
O16 - DPF: {C3498BF0-2C07-43C8-99D0-434B038334A6} (VDLaunch Class) - »www.catharon.com/download/plugins/ievdl2.ocx
O16 - DPF: {C78AC153-1FB9-4198-986D-3613E49B152E} (ScanMe Class) - »download.microsoft.com/download/···edll.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - »carpoint.msn.com/components/ocx/···icer.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - »fdl.msn.com/public/investor/v10/investor.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - »ccon.madonion.com/global/msc.cab |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ | Did you remove O4 - HKLM\..\Run: [addmt32.exe] C:\WINDOWS\addmt32.exe ???
Also You have not moved HJT like I ask you too.
--
MIAMI DOLPHINS |
|
habya
Premium
join:2003-05-29
Huntsville, AL
clubs:
| reply to rrlover
"C:\Documents and Settings\Marco\Desktop\hjt\HijackThis.exe"
Well it seems he has it in its own folder on desktop so shouldn't the backups work properly from there?
--
HABYA HABYA HABYA TEAR DOWN THE HEM STALKS EAT UP THE OLD MAN AND WOMAN AND CARRY OFF THE LITTLE GIRL MAY YOU DIE ALONE |
|
seqrets
Premium
join:2001-05-03
Nederland, TX
clubs:
·RoadRunner Cable
| HJT doesn't always work well when installed from the Desktop and the backups will be cleaned when installed from the Temp folders. That is the reason it is recommended to install it from either to C:\, C:\Program Files or C:\Documents and Settings\User Name\My Documents.
--
I think my computer is hijacked. What should I do? |
|
rrlover
join:2001-03-25
Marlborough, CT
| i moved hjt and ran it again. the file names have changed but i am sure it is the same problem.
i cant erase addmt and wingz as it says it is read only
Logfile of HijackThis v1.97.7
Scan saved at 6:42:38 AM, on 6/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wingz.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\WINDOWS\addmt32.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjgnm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cjgnm.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cjgnm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/ymsgr/def···rch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjgnm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cjgnm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cjgnm.dll/sp.html#96676
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C75AEB7B-18DF-27AF-DBA3-059058EDCC2F} - C:\WINDOWS\system32\ntve.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: axscanner - »www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - »www.pestscan.com/scanner/axscann···time.cab
O16 - DPF: mscomctl - »www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - »download.pestpatrol.com/Download···cp71.cab
O16 - DPF: msvcr71 - »download.pestpatrol.com/Download···cr71.cab
O16 - DPF: ppctlcab - »www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Poker - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - »support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - »www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - »download.macromedia.com/pub/shoc···r/sw.cab
O16 - DPF: {25064DE4-9CC0-11D5-BB86-0050DAC5EBD0} (printQuick Browser Add In) - »www.pqvalet.com/plugin/axversion···uick.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - »security2.norton.com/SSC/SharedC···niff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - »download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - »office.microsoft.com/officeupdat···opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »a1540.g.akamai.net/7/1540/52/200···ller.exe
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - »neuro.vetmed.ufl.edu:4080/chat/d···chat.ocx
O16 - DPF: {43E1F2E4-C2BA-11D3-AC40-0050049804AB} (Update Class) - »207.245.26.119/dev/update.cab
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - »office.microsoft.com/productupda···opuc.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - »office.microsoft.com/productupda···opuc.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - »us.games2.yimg.com/download.game···_0_1.ocx
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - »toolbar.google.com/data/en/deleo···eNav.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - »launch.gamespyarcade.com/softwar···unch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2001···an53.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - »support.dell.com/us/en/systempro···fLcd.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - »v4.windowsupdate.microsoft.com/C···68055556
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - »fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security2.norton.com/SSC/SharedC···absa.cab
O16 - DPF: {C3498BF0-2C07-43C8-99D0-434B038334A6} (VDLaunch Class) - »www.catharon.com/download/plugins/ievdl2.ocx
O16 - DPF: {C78AC153-1FB9-4198-986D-3613E49B152E} (ScanMe Class) - »download.microsoft.com/download/···edll.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - »photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - »download.macromedia.com/pub/shoc···lash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - »carpoint.msn.com/components/ocx/···icer.cab
O16 - DPF: {F554B9AB-E6C9-4FA6-BFE7-B3CB24AD5027} (MSN Money Charting) - »fdl.msn.com/public/investor/v10/investor.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - »ccon.madonion.com/global/msc.cab |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| Ok, I found a valid version of Wingz, It's an app for doing spreadsheets. So that's why I didn't ask you to remove it. The actual .exe can be found here.
Can you navagate to the two files,
C:\WINDOWS\system32\wingz.exe
C:\WINDOWS\addmt32.exe
Right click on them, select Properties and post the results.
--
MIAMI DOLPHINS |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs:
| reply to rrlover
to remove those files you need to be in safe mode (cant delete the files while they are running).
fix: (and you can print this out to make it easier to follow)
C:\WINDOWS\system32\wingz.exe
C:\WINDOWS\addmt32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjgnm.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cjgnm.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cjgnm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cjgnm.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cjgnm.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cjgnm.dll/sp.html#96676
O2 - BHO: (no name) - {C75AEB7B-18DF-27AF-DBA3-059058EDCC2F} - C:\WINDOWS\system32\ntve.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto (not too sure about this
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »www.cult3d.com/download/cult.cab
O16 - DPF: {43E1F2E4-C2BA-11D3-AC40-0050049804AB} (Update Class) - »207.245.26.119/dev/update.cab
when you fix these, please reboot to safe mode.
(instructions here)
Find and delete:
C:\WINDOWS\addmt32.exe
C:\WINDOWS\system32\wingz.exe
Clear out your temp internet files as well for a little added measure. Reboot normally, and repost a log |
|
pcdebb
RIP dadkins
Premium
join:2000-12-03
Tampa, FL
clubs: | reply to rrlover
i'm trying to google some information, but google seems to be down  |
|
rrlover
join:2001-03-25
Marlborough, CT
| thanks for all your help. i went into safe mode 3x and was able to clean everything up. THANKS, THANKS, THANKS. i dont understand why nav, adaware did not find it. trojan cleaner was able to find it. looking at the all the logs it appears to be a common occurrence. i thought a microsoft update was able to stop this?? again THANKS, THANKS THANKS |
|
tmpchaos
Requiescat in pace
Premium,Mod
join:2000-04-28
Hoboken, NJ
clubs: |  reply to pcdebb
(topic move) @#&@$ Hijackers
Moderator Action
The post that was here, and all followups to it, were moved to a new topic .. »@#&@$ Hijackers #2 |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
1 edit | reply to rrlover
Re: @#&@$ Hijackers
rrlover,
Edit: If this comes back, I should say.....
You have the very latest, newly discovered Coolwebsearch infection is why none of the above is working. It creates at least two randomly nmaed exe's and dll's which protect each other and regenerate themselves with a new name if you try to remove it. It also runs a service call Network Security Services which we can walk you through the process to stop that from running so we can get rid of the infection.
Since you have XP, we can manually fix this, but I first need for you to post a fresh HijackThis log so I can see where you are at this point
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) »www.a-sap.org/ |
|
