0

My computer just started running slow a few months ago and now the browser keeps getting hijacked. I believe it started right after my husband tried to download Napster or something similar. Here is my HijackThis! Log. Can someone please help me figure out what to delete? I know there is a lot of junk on my registry and i'd like to clear it up, and stop the pop ups! I have run AdAware and SpyBot, but they can't get rid of some things. Thanks in advance for any help!

Logfile of HijackThis v1.97.7
Scan saved at 2:51:29 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HiJack This!\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
N2 - Netscape 6: user_pref("browser.startup.homepage", "allaboutsearching.com");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\Heidi\Application Data\Mozilla\Profiles\default\1q0xg24x.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Heidi\Application Data\Mozilla\Profiles\default\1q0xg24x.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7E120A-C1B0-4BD2-8EB3-F08D0A0C196B}: NameServer = 170.147.1.114 170.147.17.82

3
Contributors
16
Replies
17
Views
13 Years
Discussion Span
Last Post by crunchie
0

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab

That's all.

0

Thanks for your advice, it is greatly appreciated! Got any about VX2.BetterInternet?

0

Can you download the following app & run it, making sure to have one internet exploder window open. Save the log & paste the results back here.
VX2Finder

0

Here is the log from the vx2finder. Thanks so much!Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6yo4svc.cpy.dll
C:\WINDOWS\System32\6yo4svc.dll

Guardian Key---
Asynchronous 000
DllName C:\WINDOWS\system32\6yo4svc.dll
Impersonate 000
Logon WinLogon
Version 122
ID {25641DC8-6046-461E-993B-D7C4706A767E}
IDex CS2

User Agent String---
{25641DC8-6046-461E-993B-D7C4706A767E}

0

Hmm. Please do the following:

Next, type javascript:navigator.userAgent or just copy and paste it in your IE Address bar then hit enter.

Post the complete result.

Download Killbox from http://download.broadbandmedic.com/VbStuff/KillBox.zip
Unzip to your desktop.
Run Killbox.exe. From the menu click “Fix L2M then click “Kill VX2.BetterInternet"

Restart your system


Post the complete result again.

And post a new fresh log of HijackThis.

0

Hmm. Please do the following:

Next, type javascript:navigator.userAgent or just copy and paste it in your IE Address bar then hit enter.

Post the complete result.

OK. Here is the results for that.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; {25641DC8-6046-461E-993B-D7C4706A767E}; MSN 8.0; MSN 8.5; MSNbBBYZ; MSNmen-us; MSNcIA)

0

Use the Killbox that you've download the other day.
Run Killbox.exe.
From the menu click “Fix L2M then click “Import L2M.reg.
Click OK when you asked to “Import Registry Script?
Then from the menu again, click “Find. Click “User Agent String.
Select the entry {25641DC8-6046-461E-993B-D7C4706A767E} then click “Action.
Click “Delete User Agent String. Close Killbox.

Please run VX2finder again after a reboot & post the log it creates.

0

Please ignore my last post for now & do this instead:

Download the VX2 fix here.
You must run it three times in a row to completely remove the files registry keys.

Once done run the VX2finder again & post the log here along with a fresh hijackthis log.

0

Ok. I downloaded and ran the Killbox thing.I started to do what you'd suggested, but an error occured and now everytime any time I try go online (MSN) an error occurs and the computer restarts. When it restarts it says that there was an exception in the LSA shell something or other and when I try go online again it does the same thing. It says that Windows encountered an error with NT/Authority/something and will now restart. Something to do with lsass.exe. I cannot go online to download anything to fix this. I had to go to the public library to post this right now. And my husband is fuming becausse I "broke" the computer. Please help. Thanks for everything so far! It's appreciated.

0

Do a system restore to a time B4 you attempted the repair. Don't forget to let me know which App you used that gave the problems.

0

It was Killbox. But I may have clicked on something (on Killbox) that I shouldn't have. I wasn't sure what to do with it once I ran it (Killbox) and I clicked a few things, (it may have been "delete user agent string") then I went to go back online to see what further suggestions you'd had and that's when I got the error. My husband also suggested to do a system repair from previous. I just hope we have a restore point that's before he ever even thought about Napster. Then I can just go back to normal and not be the blame for all this anymore! :o) Anyway, wish me luck! And thanks sooooooooooooooo much for all of your time and suggestions! I'll letcha know how it turns out. (As soon as I can!)

0

OK. Hubby did a system restore. Internet was working (still had pop ups), So I decided to run SpyBot again and see if any spyware was still lurking. Well it found a few things. I deleted the things in red and then had the same lsass.exe problem again. So I did system restore again, and now I'm here. Can you take a look at my current HiJackThis! log and tell me what you think? Thanks again!!!!!!!!!!


Logfile of HijackThis v1.97.7
Scan saved at 6:40:26 PM, on 5/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\30431_up.exe
C:\WINDOWS\system32\30431_up.exe
C:\Program Files\HiJack This!\HijackThis.exe
C:\WINDOWS\system32\30431_up.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ramgo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.ramgo.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ramgo.com/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Heidi\Application Data\Mozilla\Profiles\default\1q0xg24x.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Heidi\Application Data\Mozilla\Profiles\default\1q0xg24x.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Forget Me Not.lnk = ?
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF7E120A-C1B0-4BD2-8EB3-F08D0A0C196B}: NameServer = 170.147.1.114 170.147.17.82

0

so the virus came back after asystem restor then i think you will need to disable system restore to get rid of the virus,or else it will return everytime you do a restore .

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.


1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

0

Have Hijack This fix the following by placing a check in the appropriate boxes

and selecting fix checked. Make sure all browser and all Windows Explorer

windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.

ramgo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://

www.ramgo.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http

://www.ramgo.com/search.html

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = wmplayer.exe

O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe


Now reboot into safe mode and delete the following file.

C:\WINDOWS\avserve2.exe >>>> delete file

to delete the above files and folder you will need to do the following
go to Show hidden files

& folders

"Fix Checked"...Reboot to SAFE mode to delete files

How to start computer in safe mode

reboot computer and post a new log

0

If you want to attempt the VX2Finder again, let me know, only you must follow the instructions exactly. (as I am sure you are now aware) You will still have look2me on your comp.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.