Nellie2 - you saved me last week !

  Diemmess 12:58 27 Nov 04
Locked

What is it with my meddling Grandchildren? .........Last week it was a different branch of my weird family....... Nellie2 gave recommendations on a "HijackThis log" which totally eradicated all the problems....Brilliant.

This morning an SOS to me to sort this computer for daughter and grandsons. "Can't connect on BB"

No.1 Grandson, clearly the culprit - "Not my fault, You -(his Mum)- always blame me!"........ I was told that AVG had been run..... CClean and Spybot as well - loads of stuff removed........ I have managed to re-establish BB connection, cleaned once more and ran HyjackThis.

From what little I understand, the log seems full of bad or dubious lines.

In view of its length I will post the log separately on this thread.

I will be so grateful if you can indicate the baddies for me.

  Diemmess 13:10 27 Nov 04

Logfile of HijackThis v1.98.2
Scan saved at 10:11:51, on 20/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

d:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\Program Files\Musicmatch\Musicmatch
Jukebox\mm_tray.exe

D:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\system32\MSOffice\services.exe

C:\Program Files\Web_Rebates\WebRebates0.exe

C:\WINNT\updatetc.exe

C:\program files\180solutions\sais.exe

C:\Program Files\BT Voyager 105 ADSL
Modem\dslagent.exe

C:\Program Files\VoyagerTest\fts.exe

C:\Program Files\Web_Rebates\WebRebates1.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\BT Voyager 105 ADSL
Modem\dslstat.exe

C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE

C:\Program Files\AOL\Broadband CheckUp\bin\mad.exe

C:\Program Files\AOL\Broadband CheckUp\bin\mpbtn.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

C:\Program Files\AOL 9.0a\aoltray.exe

F:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://a-
search.biz/?wmid=3305

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_

  Diemmess 13:11 27 Nov 04

O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com

O1 - Hosts: 127.0.0.3 x.full-tgp.net

O1 - Hosts: 127.0.0.3 counter.sexmaniack.com

O1 - Hosts: 127.0.0.3 autoescrowpay.com

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 awmdabest.com

O1 - Hosts: 127.0.0.3 sexfiles.nu

O1 - Hosts: 127.0.0.3 allforadult.com

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 vesbiz.biz

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 aaasexypics.com

O1 - Hosts: 127.0.0.3 click here

O1 - Hosts: 127.0.0.3 virgin-tgp.net127.0.0.1 click here

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINNT\system32\msacmx.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [MSOffice] C:\WINNT\system32\MSOffice\services.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [tpcupdater] C:\WINNT\updatetc.exe

O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe

O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

O4 - HKLM\..\Run: [eryp] c:\winnt\eryp.exe

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\RunOnce: [1] C:\WINNT\system32\cmd.exe /c erase "C:\DOCUME~1\AJMEEK~1\LOCALS~1\Temp\AcsInstall.dll"

O4 - HKLM\..\RunOnce: [2] C:\WINNT\system32\cmd.exe /c erase "C:\DOCUME~1\AJMEEK~1\LOCALS~1\Temp\AcsUninstall.exe"

O4 - HKLM\..\RunOnce: [3] C:\WINNT\system32\cmd.exe /c erase "C:\DOCUME~1\AJMEEK~1\LOCALS~1\Temp\AcsUninstallRes.dll"

O4 - HKLM\..\RunOnce: [4] C:\WINNT\system32\cmd.exe /c erase "C:\DOCUME~1\AJMEEK~1\LOCALS~1\Temp\shfolder.dll"

O4 - HKLM\..\RunOnce: [5] C:\WINNT\system32\cmd.exe /c erase "C:\DOCUME~1\AJMEEK~1\LOCALS~1\Temp\insmac2k.dll"

O4 - HKCU\..\Run: [ccleaner] "D:\CCleaner\ccleaner.exe" /AUTO

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra button: Corel Network monitor worker -
{CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: Corel Network monitor worker - {CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=click here

O15 - Trusted Zone: http://*.63.219.181.7

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.clickspring.net

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.mt-download.com

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.pizdato.biz

O15 - Trusted Zone: *.slotch.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2fucked.biz

O15 - Trusted Zone: *.vse-moe.biz

O15 - Trusted Zone: *.windupdates.com

O15 - Trusted Zone: *.xxxtoolbar.com

O15 - Trusted Zone: *.ysbweb.com

  Kegger 13:17 27 Nov 04

both 180 solutions and Web rebates are trojans
click here click here to get rid of 180 and here to get rid of web rebates click here

  Kegger 13:21 27 Nov 04

down load and install spysweeper which should solve your problems click here click here

  VoG II 13:24 27 Nov 04

With respect to Kegger, wait for Nellie2. There's a lot more on there and you would be better off fixing using HJT.

  Djohn 13:38 27 Nov 04

more than a couple of nasties on there Diemmess :o(

  Nellie2 14:23 27 Nov 04

Oh dear.... first of all I think we should use Adaware and Spybot to clean this up a bit! Download them, update them and run them and let them fix what they find.

Then download hoster from click here extract it from the zip file and double click it and click on the 'restore original hosts' button.

Reboot and run hijackthis again and post another log and I'll clean up what is left!

  Diemmess 14:48 27 Nov 04

"Oh dear" was my first thought too! .........I don't have your expertise, but even I can see a fistfull of things that should - not - be - there.

I have the feeling that this week's bovver resulted from loading MessengerPlus, and that Number 1 G/son made an effort to remove it, but left all the mess that had slipped in while running
Shall go to the site tomorrow armed with the so handy usb stick, loaded with the latest version kit of tools, and report back after applying some surgery.

  Nellie2 16:32 27 Nov 04

There is a hell of a lot more there than just lop... but don't be too hard on the lad.. these things can happen to anyone! There is a lot there that Spybot and Adaware won't get.. but we may as well clear the easy stuff off first! :)

  Diemmess 10:15 28 Nov 04

Much reduced now, hoping you can work your magic, I am deeply grateful

Logfile of HijackThis v1.98.2
Scan saved at 09:26:21, on 21/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE

d:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\ZONELABS\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\Program Files\Musicmatch\Musicmatch
Jukebox\mm_tray.exe

D:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINNT\system32\twink64.exe

C:\Program Files\BT Voyager 105 ADSL
Modem\dslstat.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\Program Files\VoyagerTest\fts.exe

C:\Program Files\AOL 9.0a\aoltray.exe

C:\Program Files\AOL Companion\companion.exe

C:\WINNT\system32\wuauclt.exe

F:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = click here

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-
4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINNT\system32\msacmx.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ControlPanel] C:\WINNT\system32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [dllhostxp.exe] dllhostxp.exe

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKCU\..\Run: [ccleaner] "D:\CCleaner\ccleaner.exe" /AUTO

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O9 - Extra button: Corel Network monitor worker - {CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file)

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll

O9 - Extra button: Corel Network monitor worker - {CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {CC16E70E-DC05-42E4-A6C2-E584BC741D50} - (no file) (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=click here

O15 - Trusted Zone: http://*.63.219.181.7

O15 - Trusted Zone: *.c4tdownload.com

O15 - Trusted Zone: *.iframe.biz

O15 - Trusted Zone: *.newiframe.biz

O15 - Trusted Zone: *.overpro.com

O15 - Trusted Zone: *.sp2admin.biz

O15 - Trusted Zone: *.sp2fucked.biz

O15 - Trusted Zone: *.windupdates.com

This thread is now locked and can not be replied to.

How to get Windows 10 for free | How to install Windows 10: There is still a way to avoid paying…

1995-2015: How technology has changed the world in 20 years

Alex Chinneck’s giant ice cube Christmas tree at Kings Cross

Apple rumours & predictions 2017: The iPhone 8, new iPads, and everything else you should expect fr7…