|
DotCom.toolbar
|
Uana
CherryBombDame@msn.com
01/12/04
|
I cannot get this dotcom.tool bar off my computer. I have tried spyblast, ad aware, and ran norton aniti virus, and it STILL will no go away. Can anyone help me, is there something else I can try?
|
Mark
01/12/04
|
Ok. The Dotcom toolbar can be difficult to remove. First things first. Ad-Aware is good, but needs picky settings to do a good deep scan. I suggest you get SpyBot Search & Destroy (free), update it, and run it. It may ask you to reboot to kill active processes; do it. Then, get SpywareBlaster (also free) and update/run it (it's not a spyware remover per say, but may render Dotcom useless, and is an excellent complement to SpyBot or Ad-Aware for future protection). Post back with results. Good luck.
|
Iggy
iggy_ucsc@yahoo.com
02/03/04
|
Mark,
I just did everything you said above. I installed and ran both SpyBot Search & Destroy and SpywareBlaster.
Previously to that, I unabled the redirect.exe processes (5 and 6) and deleted them from my system.
So far so good, but after all, the dotcom toolbar option still exists. I don't know if it's functional or not, but when I right-click on the toolbar menu, there's still the option for the "dotcom toolbar".
Should I worry about it?
Thanks for your help,
I.
|
Mark
02/03/04
|
Hey Iggy. Digging a little, I found that what you did usually kills dotcom. Ending the redirect.exe processes (all) and deleting them is the way to go. Their seems to be a registry signature left, but I wouldn't worry about it. If you really want to get rid of it entirely, download and run Hi Jack This! from Merijn. CAREFULL with this tool, as it can destroy your operating system with one wrong deletion !! This tool allows you to "save" a log after scanning, that you can Copy/Paste here for us to have a look at. Usually, you would need to go to a security forum with it, as only experts should guide you with deletions. We could have a peek here, and tell you if you need further help. Here's a link for the tool :
http://www.spywareinfo.com/~merijn/downloads.html
Scroll down to "Official downloads".
|
Drgnlo
02/10/04
|
I Ran Hijack Remove All The Dot Com Toolbar Stuff But When I Got To Play A Movie File It Opens Up IE and put everything back??
|
Mark
02/10/04
|
You should NOT run Hi Jack This! by yourself !!! You need experts to guide you when using this powerful tool. You didn't remove all that needed to be removed, because you didn't know how to analyse the log. Go to a good security forum, and post your log there. They will tell you what to do, and your box will be clean...
|
bill
02/11/04
|
Have the same toolbar but can't get to the http://www.spywareinfo.com/~merijn/downloads.html site??? seems to be dead??
Thanks
|
Mark
02/12/04
|
I know Bill. Merijn's sites are all down. Don't know why (maintenance, problems, too much traffic,...). Keep trying, and you should get through eventually.
|
snowman
02/12/04
|
Mark:
Merijn, tom coyote, soyware have been under DOS attack.
"spywareinfo.com is under a massive distributed denial of service attack. My hosting service is working to filter out the attacking IP addresses but they're coming from all over the world at the moment.
spywareinfo.com, spywareinfo.net, spywareinfo.org, tomcoyote.org, merijn.org, malware.us, mikehealan.com and dogreader.com are off the net until the attack is blocked.
Feel free to take advantage of this place until its rectified
This place= spybot forums
http://forums.net-integration.net/index.php?act=idx
|
snowman
02/12/04
|
Found a mirror for:
CW-Shreder: 1.48.2
http://www.majorgeeks.com/download4086.html
Hijack this (1.97.7)
http://www.majorgeeks.com/download3155.html
still won't be able to update but shreder is fairly recent.
|
cliffy
tts2@yahoo.com
02/13/04
|
hey i was wondering if anyone knows how to stop the dot com toolbar...i run ad away and search an destroy ..but everytime i try and play a movie file it reinstalls the toolbar...does anyone know how to help me ?
|
James
02/25/04
|
Hey everyone, does anybody know how to get rid of DotCom toolbar without downloading/buying an antivirus program? I've deleted all the cookies from the computer, used Regedit to delete DotComtoolbar from every single user on the PC and have deleted all the extra .dll files, Redirect 5 and 6, the redir.exe file, and the redirect script.
Plus I've deleted it through control panel Add/Remove programs. Can you help please? If its any help, I think I know what is the cause of DotCom toolbar. It's a site that if you accidentally go on once, it sends you to the DotCom toolbar website which downloads it. Also, it donwloads its own files onto your computer. It is called www.findthewebsiteyouneed.com I think, but I may have wrote it wrong. A few days after you delete DotCom toolbar, you load Internet Explorer, and it makes itself your homepage, and if you don't click stop fast enough and change it, it redirects you to the DotCom toolbar website! (I have XP by the way)
Thanks,
James
|
Mark
02/25/04
|
Hey James. No antivirus can rid you of DotCom toolbars. This is spyware, and antivirus makers are staying away from those...
What you need is a free tool called HijackThis! This tool packs a lot of power, you need to handle it with extreme care. One wrong click and you can hurt Windows beyond repair. The good news is that you can solve a lot of problems with it. Now, you need to download the tool, run it but DON'T FIX ANYTHING YET ! You just click on "Scan", then on "Save log". Copy the log and paste it here, with your response, so we can look at it. We may need to send you to a security forum for expert advice later on. Here's the link :
http://www.majorgeeks.com/download3155.html
|
snowman
02/25/04
|
Removal
Just checked domains and findthewebsiteyouneed.com
is a domain targetted by cw-shreder.
We have gotten rid of it using cw-shreder.
JAMES:
you'll have difficulty removing this manually.
You should download and run a removal tool for this. It works. It's free.
Go to this site:
http://www.majorgeeks.com/download4086.html
You'll find 2 tools you'll need.
Get both smartsearch killer minitool and cw-shreder.
Run the mini tool first.
Then run cw-shreder, have it fix problems,reboot
Keep your browser closed while doing this.
We can give you suggestions to prevent this in future or recommend a decent free antivirus or other free tools if you want.
|
snowman
02/25/04
|
James
use this site to get a more recent version cw-shreder:
http://www.zerosrealm.com/downloads.php
Just scroll down to find it.
Or this alternate site:
http://www.spywareinfo.com/~merijn/downloads.html
|
James
02/26/04
|
Thanks everybody for replying!
I think I've managed to get rid of it, but before it used to come back after about five days, so I'll wait before I declare that I've got rid of it! :)
James
|
James
02/26/04
|
By the way, I can't download any programs because my computer always time outs and get disconnected before anything downloads. But I've checked some websites which tell you which files to delete, and I've totally got rid of everything to do with DotCom toolbar and Findthewebsiteyouneed.com - in fact, hopefully all of it. Things are looking pretty promising so far, so fingers crossed that it's gone for good.
James
|
James
02/26/04
|
Sorry about posting some many times! Just in case, I tried donwloading the program, and somehow or other, it just managed to download, a few seconds before it disconnected! Hopefully this works!
|
James
02/26/04
|
Logfile of hijackThis v1.97.7
Scan saved at 19:26:08, on 26/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\redirect6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James\Local Settings\Temp\Temporary Directory 1 for hijack This.zip\hijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
O1 - Hosts: 213.222.11.11 auto.search.msn.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [easywww] C:\windows\easywww.exe
O4 - HKLM\..\Run: [redirect] c:\windows\redirect6.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.001] C:\WINDOWS\is-DC6SB.exe /REG
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4445535400} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37673.6438773148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4445535400} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA2D5BBC-4862-4730-AA3E-E9A043E6918E}: NameServer = 195.92.195.95 195.92.195.94
|
Mark
02/26/04
|
Ok James. You've got a lot of nasty entries in that log. No wonder you are still hijacked !!
First things first : do you have SpyBot or Ad-Aware ? If not, get them both, update them (vital) and run them. Have the tools fix everything they find. Once done, run hijackThis! again and post a fresh log. DON'T FIX ANYTHING WITH hijackTHIS! YET. Here are links for those tools :
SpyBot S&D :
http://www.safer-networking.org/index.php?page=download
(scroll down a bit and click on "Download" next to "SpyBot...1.2")
Ad-Aware (from Lavasoft) :
http://majorgeeks.com/download.php?det=506
(select the USA flag mirror)
|
Mark
02/26/04
|
One more thing to do : you don't seem to have a full-time antivirus. You may have detectable trojans, so you need to run TWO free online scans to rule out trojans and virii. Do the Ad-Aware and SpyBot scans, then do these :
Housecall (Trend-Micro)
http://housecall.trendmicro.com/
(click on "Scan now, it's free")
Panda ActiveScan :
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
(click on "Scan your PC")
|
snowman
02/26/04
|
James Got to be quick.
Unzip HJT into its own directory.
Its in your temp folder so it wont make back ups
Be back shortly
|
Mark
02/26/04
|
Snowman is right. You need to create a new folder for hijackThis! Unzip it to that new folder, because it creates backups of fixes that you may need down the road. If you leave it in a TEMP folder, it will be deleted by Windows on your next restart, along with the backups. For example, open "My Computer", double-click on "Documents", then look left and choose "Create a new folder". Name it hijackThis. Then, unzip hijackThis! and point to this new folder. When you run the tool, it will create a backup and keep it in that same folder.
|
James
02/26/04
|
Am trying to use Spybot at the moment, but it keeps on getting stuck (either that or it is taking a vveerryy long time) on 2957/5835. Should I just try to leave it running or is it getting jammed?
|
Mark
02/26/04
|
SpyBot can be slow when it bumps into spyware. Let it run. If it goes beyond 30 minutes, we'll need a Plan B !!!
|
Mark
02/26/04
|
BTW James, you better cancel the scan, as SpyBot is NOT up-to-date !!! You should have a total of over 12 000 files to scan, instead of 5835. So, stop the scan, and go update it. Make sure you choose the "Rootboxen.net USA" server before you download the updates...
|
Frank
02/26/04
|
I don't see in my SpyBot S&D where I can pick the update site.
So I looked around for a button to open an "Advanced mode" couldn't find one.
Finally I checked in my properties window and found /easymode on the command line.
I don't know how I got this on my command line. But when in this mode all of the settings are invisible.
Just a heads-up
So I removed the /easymode from the command line restarted Spybot and all the options were there.
|
James
02/26/04
|
Currently updating Ad-aware and Spybot at the moment. I'll try to run the spybot tomorrow and leave it running all day (if it takes 5 hours to do 5835 file Spybot, imagine how long it will take with 12 000) and then I'll scan with hijack This and put the log up on here again.
James
|
James
02/26/04
|
Here it is so far without the updated versions being used (but the updated version of ad-aware)
Logfile of hijackThis v1.97.7
Scan saved at 23:10:10, on 26/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\James\My Documents\Antivirus etc\Ad-aware 6\Ad-aware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James\My Documents\Antivirus etc\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\James\My Documents\Antivirus etc\hijack This\hijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4445535400} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37673.6438773148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4445535400} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA2D5BBC-4862-4730-AA3E-E9A043E6918E}: NameServer = 195.92.195.94 195.92.195.95
|
Frank
02/26/04
|
Okay, I got the setting window.
Where is the place to choose "Rootboxen.net"?
Is this done in Proxy setting?
Or, is there somewhere else that I'm missing?
|
Mark
02/26/04
|
Hey Frank. Look left in the menu bar, and click on "Online". That puts you in the update window. You should have a "Search for updates" button. Click on it. Updates will appear with check boxes next to them. Check everything. Look up, at the top menu bar, you should see "UniDo (Europe)" ; click on the little "down" arrow next to it. Select Rootboxen. Then click on "Download updates". Hope you find it...
|
Frank
02/26/04
|
That did it, thanks.
|
Mark
02/26/04
|
James, sorry, I missed your previous post (too busy...).
Your new log looks a lot better !!! You killed a lot of crap with Ad-Aware. Excellent. I am amazed that SpyBot is taking sooo long to scan... never seen that before. I usually see between 4 and 13 minutes, depending on CPU clock speed... oh well. I'll take a look (or someone else will) at your new log tomorrow. Good job !
|
snowman
02/26/04
|
Richard much much,, better.
You'll have to get an antivirus for yourself
Good free here:
www.my-etrust.com/microsoft/
or AVG
|
Mark
02/26/04
|
(Snowman meant "James", I'm sure...)
|
James
02/27/04
|
I'm using the scans now and it says its found a Trojan - easywww its called - I think thats the name of the msn program so should I delete it?
|
Mark
02/27/04
|
Hey James. EasyWWW is spyware, pure and simple. Delete it. (has nothing to do with MSN). If you get stuck with it, here's a manual removal technique :
http://www.pestpatrol.com/PestInfo/e/easywww.asp
|
Frank
|
A little caution about PestPatrol.
Their site offers great malware "information", used by many pros out there;
they have a good database for pests (processes, extensions,...),
with good manual removal instructions that are a little excessive partly as a ploy to
sell their software. Basically they "enhance" manual removal efforts to push their product.
Nothing to worry about so far,... Well, they have a free scanner called "Pestscan".
First of all it scans only. NO removal. Second of all the scan is total garbage.
This garbage scanner will give a report of multiple nasties like Coolweb and many known "super spyware", when in fact the machine can be clean.
THAT is totally unforgiveable. This creates excess upset and difficulty. It is really hard to remove a program that doesn't exist. :-)
So in conclusion, they have some good information. But their scanner sucks.
|
James
02/27/04
|
Ok. Btw, I wouldn't think its working anyway. Everytime the computer is loaded up, it says Easywww.exe failed to run. Program not responding. Something like that. Besides, I always shut down the process of it anyway.
Now all I have to do is wait for them to finish scanning - which has taken 45 minutes to get through 104397 files!!! (so far - another 200 files to go I think!)
|
James
02/27/04
|
I used the first anti-virus website you said, and it came up with about 5 virii and trojans, deleted them all except easywww.exe, which wouldn't delete as it said it was running - however, using Taskmanager, it has no "easywww.exe" in processes or applications. It shows msnmsgr.exe, EVNTSVC.exe, explorer.exe, taskmnr.exe, iexplore.exe, svchost.exe, pctspk.exe, SAGENT2.exe, alg.exe, spoolsv.exe, svc host.exe (x4), lsass.exe, services.exe, winlogon.exe, crss.exe, smss.exe, wuaclt.exe, system, system idle process. Also, using the site you gave me, it said delete it in the directory systemroot+, but I do not have that folder (I don't think) as I have XP. Also, through the scan, it located "easywww.exe" in C:/Windows, and even though hidden files were shown, no easywww.exe file could be seen. Any ideas?
Thanks, James
|
James
02/27/04
|
Nevermind about easywww.exe - it seems to have been erased by another antivirus program. Here is the log file now.
Logfile of hijackThis v1.97.7
Scan saved at 23:16:04, on 27/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\James\My Documents\Antivirus etc\hijack This\hijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\James\MYDOCU~1\ANTIVI~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E7188-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-4445535400} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37673.6438773148
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4445535400} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA2D5BBC-4862-4730-AA3E-E9A043E6918E}: NameServer = 195.92.195.94 195.92.195.95
|
James
02/27/04
|
It seems to have got longer- I think it was because the antivirus scans.
|
James
02/27/04
|
So far, both Dotcom Toolbar, and another toolbar, that I didn't know was not meant to be there - "Search" bar (deleted in the process) are gone. Hopefully for good :) I think, looking at the log, that the searchbar comes from Findthewebsiteyouneed.com, and Dotcom.com and their toolbar is in association with Findthewebsiteyouneed.com and their searchbar, so I think I'd have also had to delete the searchbar to get rid of Findthewebsiteyouneed.com - luckily, meanwhile trying to get rid of Dotcom toolbar, Searchbar has gone too! Hooray! In a few days, I will probably come back to say whether Dotcom and Search toolbar have gone for good. By the way, I've also now got Spyware blaster, to prevent future stuff from attacking the PC.
Thanks everyone for helping,
James
|
Wanda
02/28/04
|
Don't ever try to fix your hijackThis log by yourself, if you don't get a response here please post it on the msg board at techtv.com
Don't use CWshredder unless you already have a Coolweb Search problem.. the CWS program will actually cause problems for a clean machine! Not like other programs you can just run..
Please before every running hijackThis you should run Spybot, your AV, empty temp files/history/cookies.. the logs can take a long time to research so if they're cleaned out as much as possible in the first place it would help.
Also posting what you use for a homepage and preferred search engine would help.. also if you use any 'helper' toolbar and what it is (cuz the toolbars are usually spyware and add to the problems).
If you do end up downloading hijackThis then CWshredder (when asked to use it).. all the latest versions are available below for download. along with virus scans on 2nd pg.
Want to learn more about your pc?
tune into TechTv.com on your expanded cable service!
http://hotspots.81x.com
ariusze/hotmail
|
dave2
dragopublish@hotmail.com
03/07/04
|
http://dave2.rocketjump.org/admin/upload/hijackthis.log
Here's my log, I still have some redirection problems when I open IE. My homepage is google, and when I start, the url "http://click.dotcomtoolbar.com/redirect" is flashed briefly and suddenly I'm at http://www.google.com/? . Not entirely sure if I'm rid of the DCT.
Anti-SpyWare: Spybot, hijack This!
Anti-Virus: None...
Firewall: Provided by ISP
OS: WinXP
|
|
