0

hi.. i guess those were just too many problems listed on the "Title" ;)

My problem started a few days back when my friend surfed a lot of porn on my come.. ;) so after a couple days when i opened my browser i saw the home page changes to C:\WINDOWS\secure.html , i tried to change it back to google but it did not work. then as soon as i opened a page a porn site window would open up covering the entire screen. I tried to go to google.com but it said that the "Directory Listing Denied This Virtual Directory does not allow contents to be listed." same goes for excite and altavista.com .. though yahoo.com is working.

After all this problem i downloaded spybot, spywareblaster, ad-ware 6.0 hijack this.. etc. i got rid of most of the problem. but the core problem still remains.

1. My home page still is C:\WINDOWS\secure.html
2. Porn will pop up everytime i hit "Home" Button
3. spybot will not remove DSO exploit (it says that it does but it keeps coming back on searches) same goes for VX2/F

I have the log file from hijack it... please can anyone see where the problem is?
p.s check the log "O4 - HKLM\..\Run: [gmsdaixtmbpg] C:\WINDOWS\System32\fpbdee.exe" i think there is something fishy here.

Would really appreciate any hepl..


Logfile of HijackThis v1.97.7
Scan saved at 8:59:11 PM, on 7/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\fpbdee.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Dad\Application Data\arep.exe
C:\WINDOWS\System32\czkqjyyh.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\FBM Software\ZeroSpyware Lite\ZeroSpyware Lite.exe
C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3AAB405F-9766-0BBC-8752-17550DA32638} - C:\WINDOWS\System32\gezllbp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [gmsdaixtmbpg] C:\WINDOWS\System32\fpbdee.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Tach] C:\Documents and Settings\Dad\Application Data\arep.exe
O4 - HKCU\..\Run: [Akknxdus] C:\WINDOWS\System32\czkqjyyh.exe
O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\ZeroSpyware Lite.exe" -STARTUP
O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" -STARTUP
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Broadband (HKLM)
O9 - Extra 'Tools' menuitem: Sify Broadband (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.133/legal/x.chm::/load.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.5435069444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C36455-8603-412B-8F5C-DEF4A32ECF87}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{38C36455-8603-412B-8F5C-DEF4A32ECF87}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{38C36455-8603-412B-8F5C-DEF4A32ECF87}: NameServer = 202.144.115.4,202.144.66.6

5
Contributors
14
Replies
15
Views
13 Years
Discussion Span
Last Post by crunchie
0

just down loaded it while writing this post.. will run it asap , and post the results here

0

I don't know about with your's, but I know in another thread (I'm not sure which one it was a couple of weeks ago) someone said that Spybot S&D will pick up DSO Exploit even when it's not there...I know it's still doing it on mine, but my computer is working fine. I don't know, but after you get everything else sorted out, if that's still coming up, that may be why.

0

Good news! i ran CWShredder on my comp and the browser problem is gone. but one last problem remains. Everytime i start my comp.. the window status button on the start bar automatically are aligned to the right, where there is no space and the "Language Bar" from the tool bar keep showing, evertime i remove the language tool and left align, it will come back to where it was after restart. This also started happening only after the spyware and adware problem.. any suggestions.
+ dose any one know what this log is
"O4 - HKLM\..\Run: [gmsdaixtmbpg] C:\WINDOWS\System32\fpbdee.exe"
i think its a spy ware.. keep coming up on my hijack this log

0

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop (in a folder on the desktop is fine) & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' :

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,

O2 - BHO: (no name) - {3AAB405F-9766-0BBC-8752-17550DA32638} - C:\WINDOWS\System32\gezllbp.dll

O4 - HKLM\..\Run: [gmsdaixtmbpg] C:\WINDOWS\System32\fpbdee.exe
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKCU\..\Run: [Tach] C:\Documents and Settings\Dad\Application Data\arep.exe
O4 - HKCU\..\Run: [Akknxdus] C:\WINDOWS\System32\czkqjyyh.exe

O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://213.159.117.133/legal/x.chm::/load.exe

Reboot into safe mode following the instructions here & navigate to & delete the following if found:

C:\Windows\System32\wsaupdater.exe
C:\WINDOWS\System32\fpbdee.exe
C:\Documents and Settings\Dad\Application Data\arep.exe
C:\WINDOWS\System32\czkqjyyh.exe

C:\Program Files\WindowsSA

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally.

If you have Adaware 6.181 installed, please get the VX2 Cleaner plug-in for Adaware here.
Run Adaware then run the plug-in.
If you do not have it, you can either download it from here, or download VX2finder.

VX2Finder
Press the Click to Find VX2 Betterinternet Button at the bottom. Save the log & paste the results back here.

0

The DSO exploit can be fixed, but apparently the exploit itself is very old and unused by hackers any more. The way to fix it is to open regedit, find the registry key, delete the 1004 entry that throws up the error, create a new 1004 dword entry with a value of 3. I usually do it just to stop it appearing. Note you will have one in XP for every user area.

0

hi Crunchie, i did what you said and then i downloaded the plugin for VX2/F . The good things is that now my window status button on the start bar automatically are aligned normal to the left but the language bar keeps showing on the right.
Also Ad-ware says that my system is clean of VX2/F but spybot still show VX@ and DSO.

0

If you have all your Microsoft updates for your system, then the DSO exploit is the bug in Spybot which is yet to be fixed.
You can download the VX2finder from my last post & see if there really is that on your computer.

0

Log file from ad-ware. i cleared all 3 of them


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Sunday, July 18, 2004 2:04:40 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R333 18.07.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


7/18/2004 2:04:40 PM - Scan started. (Smart mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 7/18/2004 5:09:44 AM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 7/18/2004 5:09:49 AM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7/18/2004 5:09:49 AM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7/18/2004 5:09:49 AM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7/18/2004 5:09:50 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7/18/2004 5:09:51 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:7 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 7/18/2004 5:09:53 AM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 7/18/2004 5:09:56 AM
BasePriority : Normal
FileSize : 977 KB
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:9 [inetinfo.exe]
FilePath : C:\WINDOWS\System32\inetsrv\
ThreadCreationTime : 7/18/2004 5:10:01 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Internet Information Services
InternalName : INETINFO.EXE
OriginalFilename : INETINFO.EXE
ProductName : Internet Information Services
Created on : 10/22/2003 6:39:03 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 7:00:00 AM

#:10 [mdm.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\VS7Debug\
ThreadCreationTime : 7/18/2004 5:10:02 AM
BasePriority : Normal
FileSize : 264 KB
FileVersion : 7.00.9064.9150
ProductVersion : 7.00.9064.9150
Copyright : Copyright (C) Microsoft Corp. 1997-2000
CompanyName : Microsoft Corporation
FileDescription : Machine Debug Manager
InternalName : mdm.exe
OriginalFilename : mdm.exe
ProductName : Microsoft Development Environment
Created on : 2/23/2001 4:37:30 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 2/23/2001 4:37:30 AM

#:11 [navapsvc.exe]
FilePath : C:\Program Files\Norton AntiVirus\
ThreadCreationTime : 7/18/2004 5:10:03 AM
BasePriority : Normal
FileSize : 113 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
OriginalFilename : NAVAPSVC.EXE
ProductName : Norton AntiVirus
Created on : 10/18/2003 7:11:05 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 2/27/2002 5:59:26 AM

#:12 [navapw32.exe]
FilePath : C:\PROGRA~1\NORTON~1\
ThreadCreationTime : 7/18/2004 5:10:04 AM
BasePriority : Normal
FileSize : 73 KB
FileVersion : 8.07.17
ProductVersion : 8.07.17
Copyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Agent
InternalName : NAVAPW32
OriginalFilename : NAVAPW32.EXE
ProductName : Norton AntiVirus
Created on : 10/18/2003 7:11:05 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 2/27/2002 5:57:58 AM

#:13 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_04\bin\
ThreadCreationTime : 7/18/2004 5:10:04 AM
BasePriority : Normal
FileSize : 32 KB
Created on : 2/22/2068 6:14:46 PM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 2/22/2004 6:14:44 PM

#:14 [ctfmon.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7/18/2004 5:10:05 AM
BasePriority : Normal
FileSize : 13 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
OriginalFilename : CTFMON.EXE
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:15 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 7/18/2004 5:10:05 AM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/23/2001 1:30:00 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 8/23/2001 1:30:00 AM

#:16 [nkvmon.exe]
FilePath : C:\Program Files\Nikon\NkView6\
ThreadCreationTime : 7/18/2004 5:10:07 AM
BasePriority : Normal
FileSize : 232 KB
FileVersion : 6, 0, 0, 3000
ProductVersion : 6, 0
Copyright : Copyright (C) Nikon Corporation. 1998 - 2003
CompanyName : Nikon Corporation
FileDescription : Nikon Monitor
InternalName : NkvMon
OriginalFilename : NkvMon.exe
ProductName : Nikon Monitor
Created on : 11/20/2003 1:24:03 PM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 12/4/2002 5:22:48 AM

#:17 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 5.0\Distillr\
ThreadCreationTime : 7/18/2004 5:10:08 AM
BasePriority : Normal
FileSize : 48 KB
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
Copyright : Copyright
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
OriginalFilename : AcroTray.exe
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
Created on : 1/9/2004 5:53:37 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 3/14/2001 11:48:18 PM

#:18 [psnlite.exe]
FilePath : C:\Program Files\3M\PSNLite\
ThreadCreationTime : 7/18/2004 5:10:08 AM
BasePriority : Normal
FileSize : 1584 KB
FileVersion : 3, 0, 1, 1069
ProductVersion : 3, 0, 1, 1069
CompanyName : 3M
FileDescription : Post-it(R) Software Notes: System
InternalName : PSN
OriginalFilename : PSN2VIEW.EXE
ProductName : Post-it(R) Software Notes Lite
Created on : 10/9/2003 8:38:32 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 10/9/2003 8:38:32 AM

#:19 [hpotdd01.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ThreadCreationTime : 7/18/2004 5:10:10 AM
BasePriority : Normal
FileSize : 40 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
OriginalFilename : hpotdd01.exe
ProductName : Hewlett-Packard hpotdd01
Created on : 12/2/2002 3:26:10 PM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 12/2/2002 3:26:10 PM

#:20 [hpohmr08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ThreadCreationTime : 7/18/2004 5:10:10 AM
BasePriority : Normal
FileSize : 144 KB
FileVersion : 4.2.0.170
ProductVersion : 002.000.000.170
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOHMR08
OriginalFilename : HPOHMR08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 12/2/2002 3:38:34 PM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 12/2/2002 3:38:34 PM

#:21 [psngive.exe]
FilePath : C:\PROGRA~1\3M\PSNLite\
ThreadCreationTime : 7/18/2004 5:10:17 AM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 3, 0, 2, 2069
ProductVersion : 3, 0, 2, 2069
CompanyName : 3M
FileDescription : Post-it(R) Software Notes: GiveNote
InternalName : PSN
OriginalFilename : PSN.EXE
ProductName : Post-it(R) Software Notes
Created on : 10/9/2003 8:37:36 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 10/9/2003 8:37:36 AM

#:22 [hpoevm08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\bin\
ThreadCreationTime : 7/18/2004 5:10:20 AM
BasePriority : Normal
FileSize : 276 KB
FileVersion : 4.2.0.170
ProductVersion : 002.000.000.170
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
OriginalFilename : HPOEVM08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 12/2/2002 3:00:02 PM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 12/2/2002 3:00:02 PM

#:23 [hposts08.exe]
FilePath : C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\
ThreadCreationTime : 7/18/2004 5:10:28 AM
BasePriority : Normal
FileSize : 300 KB
FileVersion : 4.2.0.170
ProductVersion : 002.000.000.170
Copyright : Copyright (C) Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
OriginalFilename : HPOSTS08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 12/2/2002 3:11:48 PM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 12/2/2002 3:11:48 PM

#:24 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ThreadCreationTime : 7/18/2004 5:15:23 AM
BasePriority : Normal
FileSize : 4768 KB
FileVersion : 6.2.0137
ProductVersion : Version 6.2
Copyright : Copyright (c) Microsoft Corporation 1997-2004
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
OriginalFilename : msnmsgr.exe
ProductName : MSN Messenger
Created on : 5/28/2004 9:52:04 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 5/28/2004 9:52:04 AM

#:25 [ymsgr_tray.exe]
FilePath : C:\Program Files\Yahoo!\Messenger\
ThreadCreationTime : 7/18/2004 7:54:29 AM
BasePriority : Normal
FileSize : 64 KB
Created on : 10/16/2003 8:53:56 PM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 2/4/2002 12:45:00 PM

#:26 [ad-aware.exe]
FilePath : C:\PROGRA~1\LAVASOFT\AD-AWA~1\
ThreadCreationTime : 7/18/2004 8:28:04 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/15/2004 4:16:54 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 7/12/2003 3:30:20 PM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0

Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Tracking Cookie Object recognized!
Type : File
Data : [email]dad@bravenet[2].txt[/email]
Object : C:\Documents and Settings\Dad\Cookies\

Created on : 7/18/2004 5:18:04 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 7/18/2004 5:18:06 AM

Tracking Cookie Object recognized!
Type : File
Data : [email]dad@maxserving[1].txt[/email]
Object : C:\Documents and Settings\Dad\Cookies\

Created on : 7/18/2004 8:09:46 AM
Last accessed : 7/17/2004 6:30:00 PM
Last modified : 7/18/2004 8:09:48 AM


¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯


Performing conditional scans..
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Conditional scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 3


2:10:40 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:05:59:897
Objects scanned :48319
Objects identified :3
Objects ignored :0
New objects :3

0

Did you download the VX2finder & run it? Not the VX2cleaner plug-in. Also you need to post another hjt log.

0

I downloaded it but it was not VX2 finder, it was the ad-ware 6 and then i installed it thinking that i could be wong but unfortnualty it currupted the old adware too , so i had to uninstal it.. anyways here is the log from HJT

Logfile of HijackThis v1.97.7
Scan saved at 2:37:00 PM, on 7/18/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://202.144.13.19:81/login_rest.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Broadband (HKLM)
O9 - Extra 'Tools' menuitem: Sify Broadband (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37910.5435069444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38C36455-8603-412B-8F5C-DEF4A32ECF87}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{38C36455-8603-412B-8F5C-DEF4A32ECF87}: NameServer = 202.144.115.4,202.144.66.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{38C36455-8603-412B-8F5C-DEF4A32ECF87}: NameServer = 202.144.115.4,202.144.66.6

0

You're welcome :) . Marking this as solved. Anyone else with the same problem, please start your own thread. Thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.