Newbie dot Org HomePage
Visit one of our web buddies
HJT Log I have a virus !!
kris ( again)

09/16/04 		here is the HJT log PLease help it sows down my pc I HATE MY SISTER !! ...

Logfile of HijackThis v1.98.2
Scan saved at 19:46:58, on 16-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shareaza\Shareaza.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3CF463CB-CC8A-405C-9157-30112D0BAE1C} - C:\WINDOWS\System32\mjiolh.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [eszbmpknf] C:\WINDOWS\System32\zdablpu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - Startup: loaddfox[1].exe
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://14222.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O18 - Filter: text/html - {20625791-1DC9-4E66-9188-54B489149F45} - C:\WINDOWS\System32\mjiolh.dll
O18 - Filter: text/plain - {20625791-1DC9-4E66-9188-54B489149F45} - C:\WINDOWS\System32\mjiolh.dll

Mark

09/16/04 		OUCH !! You know what ? I'm not a big fan of your sister either...LOL !! She really outdid herself this time ; a nasty Coolweb variant, WebRebates AND NewNet !! Some surfing she's be doin'...

I can't do a complete fix right now (have to run), but please start by removing "NewNet" by looking at our links here, to the left : click on "Remove NewDotNet" and follow instructions. Also, go to Add/Remove Programs and uninstall "WebRebates" if you see it (don't worry if you get an error while uninstalling...). Reboot once done. Post a new HijackThis! log afterwards. Good luck !

kris

09/16/04 		''New net '' ... i dont see them
kris here is log

09/16/04 		Logfile of HijackThis v1.98.2
Scan saved at 21:25:58, on 16-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
D:\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\kris kalwij\Menu Start\Programma's\Opstarten\loaddfox[1].exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\KRISKA~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {3CF463CB-CC8A-405C-9157-30112D0BAE1C} - C:\WINDOWS\System32\mjiolh.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [eszbmpknf] C:\WINDOWS\System32\zdablpu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - Startup: loaddfox[1].exe
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: v2cab - http://14222.searchmiracle.com/cab/v2cab.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-nl/nl/games4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O18 - Filter: text/html - {20625791-1DC9-4E66-9188-54B489149F45} - C:\WINDOWS\System32\mjiolh.dll
O18 - Filter: text/plain - {20625791-1DC9-4E66-9188-54B489149F45} - C:\WINDOWS\System32\mjiolh.dll

kris

09/17/04 		new log ...

Logfile of HijackThis v1.98.2
Scan saved at 17:25:00, on 17-9-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\zdablpu.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
D:\Winamp\winampa.exe
C:\WINDOWS\EDialers\34-1-59-4-vostok-.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\Documents and Settings\kris kalwij\Menu Start\Programma's\Opstarten\loaddfox[1].exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [eszbmpknf] C:\WINDOWS\System32\zdablpu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKLM\..\Run: [vostok] C:\WINDOWS\EDialers\34-1-59-4-vostok-.exe !m
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - Startup: loaddfox[1].exe
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl

John L

09/17/04 		Kris: Go to the left and up to find the links for new net removal. It says remove new net.
kris

09/18/04 		new log

Logfile of HijackThis v1.98.2
Scan saved at 16:45:43, on 20-9-2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\zdablpu.exe
C:\Program Files\QuickTime\qttask.exe
D:\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\Documents and Settings\kris kalwij\Menu Start\Programma's\Opstarten\loaddfox[1].exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [eszbmpknf] C:\WINDOWS\System32\zdablpu.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - Startup: loaddfox[1].exe
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl

kris

09/19/04 		come on :P i get sick of mine slow pc i close evry time this thing wlantul.exe becouse it absorps almost all of my RAM can some one tell me wat that is ?
ed

09/19/04 		restart to safe mode navigate to
C:\WINDOWS\System32 and delete zdablpu.exe

if youve got a program called internet optimiser uninstall it

run hjt again and have it fix

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem219.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O4 - HKLM\..\Run: [eszbmpknf] C:\WINDOWS\System32\zdablpu.exe
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

Mark

09/19/04 		Thanks for stopping by Ed...

Kris : how come your computer clock rewinded to September 2003 ??

kris

09/19/04 		dont know ... i put it back though... to 2004

here is a new log of HJT is any thing worng with it couse my pc is still kinda slow :P and
the progam loadfox is on my pc anddont know hoe it get there it is a green thingy ..

Logfile of HijackThis v1.98.2
Scan saved at 16:33:07, on 21-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
D:\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\Documents and Settings\kris kalwij\Menu Start\Programma's\Opstarten\loaddfox[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Startup: loaddfox[1].exe
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl

kris

09/19/04 		and the date to now :P to sunday ... 19 ..
kris

09/22/04 		the WLANTUL.exe is not gone plz help is realy slows don my pc :P
Mark

09/22/04 		Ok Kris, let's try and finish this off... First, follow this link where you'll find instructions on how to See hidden files and folders.

Now, fire up Task Manager (press CTRL+ALT+DEL), "Processes" tab, and END this process :

loaddfox[1].exe

Look for this file and delete it :

C:\Documents and Settings\kris kalwij\Menu Start\Programma's\Opstarten\loaddfox[1].exe <<< this file

Next, have ONLY HijackThis! running, and fix this entry :

O4 - Startup: loaddfox[1].exe

Reboot. Scan with HijackThis! again, and post a new log. Remind me to tell you where you can find a good FREE antivirus program ; you really need one... Good luck !

kris

09/23/04 		i can't delete
C:\Documents and Settings\kris kalwij\Menu Start\Programma's\Opstarten\loaddfox[1].exe

accses denied ? must i try it is save mode ?

and whats WLANTUL.exe ? couse i need to close it in the beginnig of evry start of mine pc ... i hate it ( it absorps all my RAM )

Mark

09/23/04 		Yup, you can get "loaddfox[1].exe" in Safe Mode. As for the other file, it's not showing up in your log, because you've killed the process ; I can't find anything on it (if your spelling is correct), meaning it is probably a nasty. You could let the process run, then scan with HijackThis! and show me the log, so I can see where it is running from...
kris

09/23/04 		ill post it next time ... ( gtg to school now and i'll post it in the midday :D
kris

09/24/04 		Logfile of HijackThis v1.98.2
Scan saved at 18:40:22, on 24-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
here log with the .exe

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\Documents and Settings\kris kalwij\Menu Start\Programma's\Opstarten\loaddfox[1].exe
C:\Program Files\Adobe\RealVNC\WinVNC\winvnc.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.43.3:8080
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - Startup: loaddfox[1].exe
O4 - Startup: I-Net Database.lnk = C:\Program Files\Adobe\RealVNC\WinVNC\winvnc.exe
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl

kris

09/25/04 		cant get loadfox out in save mode :(
kris

09/29/04 		hello ?? i got the loadfox :D with the administrator accound and then in MS-DOS i removed it :D
LJV
sublime_jade@hotmail.com
10/13/04 		Add/Remove programs will not remove WebRebates. Can you help me.

Anti-SpyWare: built in fuse
Anti-Virus: Norton
Browser: IE6
OS: W2k

© Copyright 1998-2004 Newbie dot Org -- All rights reserved --
This site maintained by Galaxy Website Design


--|--