954,168 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
7 Years Ago
0

Hotoffers.info Won't Go Away!!

Dear sirs, I've had hotoffers on my computer for 5 days now..I've run ad-adware(in safe mode), spybot search and destroy , microsoft anti-spyware and spysweeper(in safe mode 3 times ) and CWS and hotoffers keeps coming back.I've seen a post on Daniweb talking about going to hotoffers.info and downloading their uninstall file, but i dont trust them(what do you think)..In the meantime here is my HJT log

Thank you in advance for your help and in offering this service!!


Logfile of HijackThis v1.99.1
Scan saved at 12:22:17 PM, on 3/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ca3f5897d9b91ed201/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109286076031
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O21 - SSODL: IntegrityChecker - {C58EAF23-6553-4D99-8D67-E3F0BA9C3EFA} - C:\WINDOWS\System32\udhi_500.ax
O21 - SSODL: IntegrityMonitor - {9B0291C7-3ED9-4E31-A8DF-ACBE9E3CA157} - C:\WINDOWS\System32\statbdsw.dll
O21 - SSODL: MSSQLMonitor - {2A6EFD49-5AB4-4700-BBD0-27336A08544F} - C:\WINDOWS\System32\kbdkmain.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

lets start with this .
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-

http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from HERE

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

caperjack, thank you for your response to my problem. I did as you said ..ran ad-aware and cws shedder in safe mode (in addition I ran spybot)..CWS shredder found no instances of CWS.Ad-aware did and removed them but they were back once I rebooted. Please help..thank you again..


Bruce



lets start with this .
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-

http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads/tools/CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from HERE

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

can you please post a new hijackthis log .

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

caperjack..here is my new log..thank you again..Bruce

http://www.intermute.com/spysubtract/cwshredder_download.html
Logfile of HijackThis v1.99.1
Scan saved at 10:39:01 AM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\bruce\Start Menu\Programs\Startup\winupdate18321236[1].exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\bruce\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ca3f5897d9b91ed201/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1109286076031
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O21 - SSODL: IntegrityChecker - {C58EAF23-6553-4D99-8D67-E3F0BA9C3EFA} - C:\WINDOWS\System32\udhi_500.ax
O21 - SSODL: IntegrityMonitor - {9B0291C7-3ED9-4E31-A8DF-ACBE9E3CA157} - C:\WINDOWS\System32\statbdsw.dll
O21 - SSODL: MSSQLMonitor - {2A6EFD49-5AB4-4700-BBD0-27336A08544F} - C:\WINDOWS\System32\kbdkmain.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

I have to go to work for a bit but will check back later and do some looking

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ca3f5...ip/RdxIE601.cab
-Netster


O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?lin...738&clcid=0x409

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/s...83/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ca3f5...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1109286076031

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/s...,20/mcgdmgr.cab

O21 - SSODL: IntegrityChecker - {C58EAF23-6553-4D99-8D67-E3F0BA9C3EFA} - C:\WINDOWS\System32\udhi_500.ax

O21 - SSODL: IntegrityMonitor - {9B0291C7-3ED9-4E31-A8DF-ACBE9E3CA157} - C:\WINDOWS\System32\statbdsw.dll

O21 - SSODL: MSSQLMonitor - {2A6EFD49-5AB4-4700-BBD0-27336A08544F} - C:\WINDOWS\System32\kbdkmain.dll


Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\System32\udhi_500.ax,,,,,,,,delete file

C:\WINDOWS\System32\statbdsw.dll,,,,,,delete file
C:\WINDOWS\System32\kbdkmain.dll,,,,,,,,,delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

Caperjack..(this post may be a dupe,last post might not have worked)..I did as you instructed..i checked and fixed the lines and then deleted the 3 files in safe mode..i rebooted and ran hijack this..I still have hotoffers..I saw the some of the fixed lines were gone but others remained..hope I did it right..here's the new log..thanks again for your help and for this site..Bruce

Logfile of HijackThis v1.99.1
Scan saved at 10:50:14 PM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\Documents and Settings\bruce\Start Menu\Programs\Startup\winupdate18321236[1].exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Ok lets follow the direction in this thread seems to be working .
Unistall hotoffers

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

Scuse me Caperjack. galtg has the horse server infection.
Can you do the following please.

First, download HSFix from here.

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Reboot into safe mode following the instructions here

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

A log will be produced which you can close out of.

Then run HijackThis again, close any open windows and browsers and fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe

Restart your computer into normal mode and run at least one of the following free, online virus scans:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan...ncipal.htm
http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Crunchie and caperjack..I did as crunchie suggested..the ca virus scan yielded 35 found viruses..but hotoffers is still with me..here are the logs..AGAIN..thank you both for your help!!

Logfile of HijackThis v1.99.1
Scan saved at 9:02:06 AM, on 3/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

I ran the hjxfix just as you said ..but I can't seem to find the log..

thank you again

Bruce

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

you wouldn't happen to have this winupdate85093701[1].exe
still in you recycle bin would you or on you harddrive ,check and see if you do ,zip it up and mail it to ,submit@fbeej.dk

caperjack
I hate 20 Questions
Team Colleague
13,069 posts since Aug 2003
Reputation Points: 1,064
Solved Threads: 812
 
7 Years Ago
0

Crunchie and caperjack...I couldnt take it anymore so I tried the hotoffers.info uninstall and it seems to have worked..(so far atleast)..after i did it I ran spy sweeper and it did find them (CWS and Hotoffers) and removed them..then I rebooted in safe mode and swept again..this time it just found hotofferes..but for the first time no CWS..(it also found a TIBS dialer which started popping up a couple of days ago)..Iremoved hotoffers again..then swept again in safe mode and for the first ime in over a week NO soyware was found..im hoping this is it..I just ran HJT..here is my log..THANK YOU AGAIN...!!!!!

Logfile of HijackThis v1.99.1
Scan saved at 8:18:26 AM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\System32\netdc.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.


Run HiJackThis and click "Scan", then check(tick) the following, if present:

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com


Now, with all windows closed except HiJackThis, click "Fix checked".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from " Safe Mode ".

===============

Post back a new log after rebooting and let me know how everything goes.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\System32\netdc.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.


Run HiJackThis and click "Scan", then check(tick) the following, if present:

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com


Now, with all windows closed except HiJackThis, click "Fix checked".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from " Safe Mode ".

===============

Post back a new log after rebooting and let me know how everything goes.




Crunchie..Well I guess I spoke to soon..when I got home from work and rebooted they were back..I followed your instructions and thought I deleted the netdc file but its back..before I run HJT I thought I had better check with you..here is my log..as always I am very thankful for your help..Bruce

Logfile of HijackThis v1.99.1
Scan saved at 6:47:36 PM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Download moveonboot from here & the file(s) you choose will be deleted on reboot.

MoveOnBoot allows you to copy, move or delete files on the next system boot. This comes in very handy, if you need to replace or delete files which are locked by other applications, loaded into memory or cannot be changed until next system boot. You could manually enter a line to the wininit files, but using MoveOnBoot is much simpler, since the program can be integrated into shell - it creates the "Copy/Move/Delete on boot" context menu item.

Find C:\WINDOWS\System32\netdc.exe and right click on it. Select the delete on next boot and reboot. Fix that F2 entry with hijackthis, reboot and post another log please.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Download moveonboot from here & the file(s) you choose will be deleted on reboot.

MoveOnBoot allows you to copy, move or delete files on the next system boot. This comes in very handy, if you need to replace or delete files which are locked by other applications, loaded into memory or cannot be changed until next system boot. You could manually enter a line to the wininit files, but using MoveOnBoot is much simpler, since the program can be integrated into shell - it creates the "Copy/Move/Delete on boot" context menu item.

Find C:\WINDOWS\System32\netdc.exe and right click on it. Select the delete on next boot and reboot. Fix that F2 entry with hijackthis, reboot and post another log please.



Crunchie..I don't know what I'm doing wrong but I can't find the file anywhere on my computer..I've done around 5 searched now and nothing!,,Strange thing is that it still showing up on my HJT log.I tried using Killbox on it in safe mode and it keeps coming back. I copied and pasted the file name to moveonboot and I get the incorrect file error..On the plus side CWS and hotoffers hasnt shown on my last couple of sweeps..Thanks again..Bruce

Logfile of HijackThis v1.99.1
Scan saved at 8:32:23 AM, on 3/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Hi. Have you tried going to safe mode and fixing this line with hijackthis?

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

You can also look for the entry in your ini file and remove it manually.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 
7 Years Ago
0

Hi. Have you tried going to safe mode and fixing this line with hijackthis?

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

You can also look for the entry in your ini file and remove it manually.



Crunchie..I finally found the netdc.exe file in my registry in the winnt/winloggin folder and I deleted the c:/windows......netdc.exe part.Thats the only folder i found it in. Then I ran a scan in safe mode and the machine was clean.I just ran the scan in normal and it too was clean. But there's the netdc.exe file still in my HJT log. Tenacious bugger, huh?..On the positive side the machine itself is running fine..no more pop-ups and the browser doesn't get hijacked. But I still have that file..Heres my HJT log..Thanks again..Bruce

Logfile of HijackThis v1.99.1
Scan saved at 10:55:36 PM, on 3/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {82051E12-0F63-4FDF-BF42-A07D12396F54} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B3B4B2EA-5467-4FCF-B1D5-2496C29CEE86} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F1D5F657-FDD8-41C9-B7B9-377FEE70B23E} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

galtg
Newbie Poster
14 posts since Mar 2005
Reputation Points: 10
Solved Threads: 0
 
7 Years Ago
0

Try entering C:\WINDOWS\System32\netdc.exe into the killbox and see if you get a message about the file not existing.
Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

crunchie
Most Valuable Poster
Moderator
20,095 posts since Feb 2004
Reputation Points: 1,142
Solved Threads: 985
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
 
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed