|
please help popups and browse..
|
kris
09/05/04
|
hi i get sick of pop ups and a browser hijack... please help
i have run CWshredder and ad aware se and an spy sweep and a on the site panda a sweep i am desparate :P
this is the log :P
Logfile of HijackThis v1.98.2
Scan saved at 19:19:08, on 5-9-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\kris kalwij\Application Data\atuw.exe
C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\kris kalwij\Mijn documenten\sweepers\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\corbz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9B25BCAB-D3CF-F3E7-5310-C70A87FBFEEA} - C:\WINDOWS\netbw32.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [eszbmpknf] C:\WINDOWS\System32\zdablpu.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Wopr] C:\Documents and Settings\kris kalwij\Application Data\atuw.exe
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - HKCU\..\Run: [Cuuum] C:\WINDOWS\System32\alwmotrg.exe
O4 - Global Startup: Sitecom Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - http://www.advnt01.com/dialer/olanda_ver3.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\Software\..\Telephony: DomainName = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = home.intra
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tilbu1.nb.home.nl
hope you can do something with it....
|
John L
09/05/04
|
Kris: Although i am not a tech within these pages, there are things that i do see. I have to ask these questions do you run anti virus protection at all or any spyware programs, or for that matter a firewall to hide behind? What i see that i would address is you have viruses in that box, here is a link to try and remove at least some of them.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Before you do the scan disable system restore, tick sanatize at the scan site, what it does is remove the viruses automatically for you. When the scan is done re-enable system restore, reboot your computer and post another hijack this log. Please let me know what kind of protection you have installed, that way we can help you faster. Good luck and good hunting.
|
ed
09/05/04
|
kris welcome to newbie
restart to safe mode
navigate to
C:\Documents and Settings\kris kalwij\Application Data and delete atuw.exe
C:\Program Files and delete the folder Web_Rebates
Boot back to normal mode and run hjt again with internet explorer closed select the following and click fix
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\corbz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\corbz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9B25BCAB-D3CF-F3E7-5310-C70A87FBFEEA} - C:\WINDOWS\netbw32.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [eszbmpknf] C:\WINDOWS\System32\zdablpu.exe
O4 - HKCU\..\Run: [\Pribi.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.exe
O4 - HKCU\..\Run: [Cuuum] C:\WINDOWS\System32\alwmotrg.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O16 - DPF: {018A066F-584A-422F-AC4C-0B1F5FE5C040} (VacPro.olanda_ver3) - http://www.advnt01.com/dialer/olanda_ver3.CAB
If you dont recognise thoiose 017 entries as being from your internet service provider or network then have hjt fix them as well.
You need an upto date version of either ad-aware or search and destroy as much of your problem as been very well known spyware.
search and destroy
ad-aware
|
kris
09/06/04
|
i have ad aware SE the newest search and destrory run both and kille 244 things ()() is there a easy way to get in save mode ( win xp )
|
ed
09/06/04
|
while starting your computer repeatedly tap as soon as you hear the 'post beep' the F8 key untill you are presented with startup options, using the arrow keys select safe mode and hit enter this will be safe mode.
|
|
