StealthG Posted September 5, 2004 Report Share Posted September 5, 2004 I ran spybot and ad-aware and they removed over 150 items on my brothers computer, I had to end processes from windows task manager in order to use the internet. And every time i reboot more items show up. Heres the log. Logfile of HijackThis v1.98.2Scan saved at 12:37:06 PM, on 9/5/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\cvss.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\explorer.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\woinstall.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\MasterX\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)O1 - Hosts: 69.20.16.183 auto.search.msn.comO1 - Hosts: 69.20.16.183 search.netscape.comO1 - Hosts: 69.20.16.183 ieautosearchO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exeO4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exeO4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exeO4 - HKLM\..\Run: [sESync] "C:\Program Files\SED\SED.exe"O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\System32\keyword.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Tres] C:\Documents and Settings\MasterX\Application Data\hwal.exeO4 - HKCU\..\Run: [Zgdmlpb] C:\WINDOWS\System32\zheoapdv.exeO4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exeO4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exeO4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exeO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dllO10 - Unknown file in Winsock LSP: c:\windows\system32\lspak.dllO16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cabO16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...30654e7b5354c8dO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094402088846 Link to post Share on other sites
subratam Posted September 5, 2004 Report Share Posted September 5, 2004 Download VX2Finder(126) and post the log (By Option_Explicit)http://downloads.subratam.org/VX2Finder(126).exeRun Vx2Finder click on the *click to find VX2.BetterInternet* button.then Make log and post it back here. do nothing else with it yet. Link to post Share on other sites
StealthG Posted September 5, 2004 Author Report Share Posted September 5, 2004 Here it is Log for VX2.BetterInternet File Finder (msg126)Files Found---Additional Files---C:\WINDOWS\System32\lspak.dllKeys Under Notify---crypt32chaincryptnetcscdllScCertPropSchedulesclgntfySensLogntermsrvwlballoonGuardian Key--- is called: User Agent String---{A3BC3BEF-9DF1-45D3-8B48-F8DA59675884} Link to post Share on other sites
subratam Posted September 5, 2004 Report Share Posted September 5, 2004 Ok ,It seems we may have to try the old version of the toolDownload VX2Finder from this link: For XP & Nt systems Onlyhttp://www.downloads.subratam.org/VX2Finder.exe Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*. Close the tool and Copy and paste the contents of the log into your next reply here. Link to post Share on other sites
StealthG Posted September 5, 2004 Author Report Share Posted September 5, 2004 Heres the new one Log for VX2.BetterInternet File FinderFiles Found---Guardian Key--- is called: User Agent String---{A3BC3BEF-9DF1-45D3-8B48-F8DA59675884} Link to post Share on other sites
subratam Posted September 5, 2004 Report Share Posted September 5, 2004 Download LSPfix here: http://www.cexx.org/lspfix.htm Start the program and then check the I know what I'm doing box.Disconnect from the internet.Move all instances of lspak.dll to the Remove pane. click the Finish Button.After completion, Reboot and post a fresh hijackthis logRegards Link to post Share on other sites
StealthG Posted September 5, 2004 Author Report Share Posted September 5, 2004 Thank you subratam, heres the new hjt log.Logfile of HijackThis v1.98.2Scan saved at 2:50:31 PM, on 9/5/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\cvss.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\wuauclt.exeC:\Documents and Settings\MasterX\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)O4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...30654e7b5354c8dO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094402088846 Link to post Share on other sites
subratam Posted September 5, 2004 Report Share Posted September 5, 2004 Fix the following in HijackthisO4 - HKLM\..\Run: [msbb] c:\windows\system32\msbb.exeO16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...30654e7b5354c8dReboot and run spybot and adaware(checking updates and doing a reboot in between) and reboot finally and post a fresh hijackthis logRegards Link to post Share on other sites
StealthG Posted September 6, 2004 Author Report Share Posted September 6, 2004 Removed those two entries and ran both spybot and ad-aware heres the new one:Logfile of HijackThis v1.98.2Scan saved at 8:18:32 PM, on 9/5/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\cvss.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\MasterX\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094402088846 Link to post Share on other sites
subratam Posted September 6, 2004 Report Share Posted September 6, 2004 Are you still having any more problems. Fix this entry O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) and post a fresh log.Regards Link to post Share on other sites
StealthG Posted September 6, 2004 Author Report Share Posted September 6, 2004 I am having no more problems, but heres the new hjt log. Logfile of HijackThis v1.98.2Scan saved at 9:30:12 PM, on 9/6/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\cvss.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\MasterX\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094402088846 Link to post Share on other sites
Besttechie Posted September 7, 2004 Report Share Posted September 7, 2004 Hi,This file is really bothering me (what's in red).C:\WINDOWS\System32\cvss.exeRun Spybot and Ad-aware one more time and make sure they have the most up to date definitions. Make sure you have Ad-aware SE 1.04 the newest version.Then post a new logfile.B Link to post Share on other sites
StealthG Posted September 7, 2004 Author Report Share Posted September 7, 2004 Thank you besttechie:Logfile of HijackThis v1.98.2Scan saved at 3:58:25 PM, on 9/7/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32 Explorer.EXEC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\MasterX\Desktop\hijackthis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094402088846 Link to post Share on other sites
Besttechie Posted September 7, 2004 Report Share Posted September 7, 2004 Ok, you look clean now. Just do one thing put HJT in a permanent folder for example:C:\HijackThis\HijackThis.exeThis way you can make backups.Now you are clean.B Link to post Share on other sites
StealthG Posted September 7, 2004 Author Report Share Posted September 7, 2004 I thank you both! Link to post Share on other sites
Besttechie Posted September 7, 2004 Report Share Posted September 7, 2004 No Prob. Glad to help.B Link to post Share on other sites
Recommended Posts