Author Topic: I need a hand  (Read 5659 times)

February 26, 2005, 12:13:53 PM
Read 5659 times

LowCrawler

  • Reserved Slot
  • Onos

  • Offline
  • ***

  • 519
    • View Profile
the following is my hijackthis log.

i have been getting some high pings and low fps... i switched to firefox and im told hijackthis works, where adaware does not.

so here ya go... i need to know what to keep and what to kill.
Thanks, I know its alot

Logfile of HijackThis v1.99.1
Scan saved at 12:57:09 PM, on 2/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mobsync.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINNT\system32\desktop.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jimmy Jr\Desktop\HijackThis.exe
C:\Documents and Settings\Jimmy Jr\Local Settings\Temporary Internet Files\Content.IE5\ODAB89QB\Firefox%20Setup%201.0.1[1].exe
C:\DOCUME~1\JIMMYJ~1\LOCALS~1\Temp\7zS13E.tmp\setup.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] syswin.exe
O4 - HKLM\..\Run: [Sysmon] msnmssgs.exe
O4 - HKLM\..\Run: [RealVNC Setup] C:\WINNT\SYSTEM32\fmenass.exe
O4 - HKLM\..\Run: [vbndfer] C:\WINNT\SYSTEM32\ghnbv.exe
O4 - HKLM\..\Run: [work] c:\winnt\system32\etc\WORLD.exe
O4 - HKLM\..\Run: [Configuration Loader] msgfy.exe
O4 - HKLM\..\Run: [bdffefqes32] C:\WINNT\SYSTEM32\bdfx.exe
O4 - HKLM\..\Run: [hghjAccess] cvvwwe.exe
O4 - HKLM\..\Run: [ICQMsn] C:\WINNT\SYSTEM32\cbfks.exe
O4 - HKLM\..\Run: [ICQ] syscdd2.exe
O4 - HKLM\..\Run: [Mozilla Firefox v0.901] netconfig.exe
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kl.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share A$ /delete /yes
O4 - HKLM\..\Run: [Secure2] net share B$ /delete /yes
O4 - HKLM\..\Run: [Secure3] net share C$ /delete /yes
O4 - HKLM\..\Run: [Secure4] net share D$ /delete /yes
O4 - HKLM\..\Run: [Secure5] net share E$ /delete /yes
O4 - HKLM\..\Run: [Secure6] net share F$ /delete /yes
O4 - HKLM\..\Run: [Secure7] net share G$ /delete /yes
O4 - HKLM\..\Run: [Secure8] net share H$ /delete /yes
O4 - HKLM\..\Run: [Secure9] net share I$ /delete /yes
O4 - HKLM\..\Run: [Secure10] net share J$ /delete /yes
O4 - HKLM\..\Run: [Secure11] net share K$ /delete /yes
O4 - HKLM\..\Run: [Secure12] net share L$ /delete /yes
O4 - HKLM\..\Run: [Secure13] net share M$ /delete /yes
O4 - HKLM\..\Run: [Secure14] net share N$ /delete /yes
O4 - HKLM\..\Run: [Secure15] net share O$ /delete /yes
O4 - HKLM\..\Run: [Secure16] net share P$ /delete /yes
O4 - HKLM\..\Run: [Secure17] net share Q$ /delete /yes
O4 - HKLM\..\Run: [Secure18] net share R$ /delete /yes
O4 - HKLM\..\Run: [Secure19] net share S$ /delete /yes
O4 - HKLM\..\Run: [Secure20] net share T$ /delete /yes
O4 - HKLM\..\Run: [Secure21] net share U$ /delete /yes
O4 - HKLM\..\Run: [Secure22] net share V$ /delete /yes
O4 - HKLM\..\Run: [Secure23] net share W$ /delete /yes
O4 - HKLM\..\Run: [Secure24] net share X$ /delete /yes
O4 - HKLM\..\Run: [Secure25] net share Y$ /delete /yes
O4 - HKLM\..\Run: [Secure26] net share Z$ /delete /yes
O4 - HKLM\..\Run: [InfoPenMSN] C:\Program Files\InfoKing\InfoPenMSN\Pro\InfoPenIM.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ssdiag] C:\WINNT\ssdiag.exe
O4 - HKLM\..\Run: [Srv32Win] C:\winnt\SpyAgent4.exe
O4 - HKLM\..\Run: [desktop] C:\WINNT\system32\desktop.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] syswin.exe
O4 - HKLM\..\RunServices: [Sysmon] msnmssgs.exe
O4 - HKLM\..\RunServices: [Configuration Loader] msgfy.exe
O4 - HKLM\..\RunServices: [ICQ] syscdd2.exe
O4 - HKLM\..\RunServices: [Mozilla Firefox v0.901] netconfig.exe
O4 - HKLM\..\RunServices: [Windows Explorer] Explorer .exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] syswin.exe
O4 - HKCU\..\Run: [Sysmon] msnmssgs.exe
O4 - HKCU\..\Run: [ICQ] syscdd2.exe
O4 - HKCU\..\Run: [Mozilla Firefox v0.901] netconfig.exe
O4 - HKCU\..\Run: [Configuration Loader] msgfy.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinsta...es/vzWebIns.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program Files\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: siService (Serv-U) - Unknown owner - c:\winnt\addins\data\inf\home\msi\siService.exe


February 26, 2005, 12:53:51 PM
Reply #1

Clashen

  • Legacy Reserved
  • Onos

  • Offline
  • ***

  • 612
    • View Profile
    • http://
that's a pretty long list dude.

EDIT: Oh, and google for the things you don't recognize and you'll find out if it's bad or not.
« Last Edit: February 26, 2005, 12:55:18 PM by Clashen »
<snip>, your sig image is, or rather was i suppose, 48kb, max size is 22kb. - DHP
<zing>, your mom is, or rather was i suppose, 200kg, max size is 100kg LOL - clashen

February 26, 2005, 01:11:06 PM
Reply #2

LowCrawler

  • Reserved Slot
  • Onos

  • Offline
  • ***

  • 519
    • View Profile
see thats just the thing... lownub recognizes none of it.

February 26, 2005, 01:16:15 PM
Reply #3

devicenull

  • Legacy Admin
  • Marine

  • Offline
  • ****

  • 904
    • View Profile
Researcing your items.  Run SpyBot S&D and Ad-Aware in the mean time

February 26, 2005, 01:49:19 PM
Reply #4

LowCrawler

  • Reserved Slot
  • Onos

  • Offline
  • ***

  • 519
    • View Profile
thank you very much, i owe you one dev.

i also learned of something just now...

a neighbor of mine recently bought a connection and is using the same router as mine, just a few yards away... if they are on the same wireless frequency, that could cause interference, thus lag and choke, no?

February 26, 2005, 02:11:01 PM
Reply #5

devicenull

  • Legacy Admin
  • Marine

  • Offline
  • ****

  • 904
    • View Profile
Lowcrawler, could you get on aim or IRC next time you have a chance?  There's a few things installed that I'd like to get a copy of, and I need to go through some things with you.  You can AIM me at darkmage4321, or PM me on IRC.  I'm still writing up removal instructions, but there's some stuff (config files, etc) that would be left behind.

IRC/AIM would be the best way to do this.

Edit: Its possible that the wireless things could be interfearing, but thats the least of your problems right now (Your system has a number of trojans installed, but nothing I can't handle)
« Last Edit: February 26, 2005, 02:29:16 PM by devicenull »

February 26, 2005, 02:49:25 PM
Reply #6

devicenull

  • Legacy Admin
  • Marine

  • Offline
  • ****

  • 904
    • View Profile
If you have antivirus running, disable it.  If you have system restore enabled, disable it.

First off, were you running firefox setup when you ran hijack this?
If not, check the box next to this:
C:\Documents and Settings\Jimmy Jr\Local Settings\Temporary Internet Files\Content.IE5\ODAB89QB\Firefox%20Setup%201.0.1[1].exe

Are you running GMail notifier? If not, check the box next to this:
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe


Next, check the boxes next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R3 - Default URLSearchHook is missing

Open up task manager, goto processes, end any of these if they are running:
syswin.exe
syswin.dll
syswin32.dll
msnmssgs.exe
fmenass.exe
ghnbv.exe
msgfy.exe
bdfx.exe
cvvwwe.exe
cbfks.exe
syscdd2.exe
netconfig.exe
desktop.exe
DNTUS26.EXE
Wsock32.exe
G.exe
SS.exe
an.exe
World.exe
Mr.exe
b.b
Copy.exe
op.b
or.b
Won.exe
rfcg.ini
h1d.bat
ch.ex
x.bat
xx.bat
SpyAgent4.exe

Make a new folder, spyware, where ever you want.
Navigate to C:\winnt\System32, copy the following files to the spyware folder:
syswin.exe
syswin.dll
syswin32.dll
msnmssgs.exe
fmenass.exe
ghnbv.exe
msgfy.exe
bdfx.exe
cvvwwe.exe
cbfks.exe
syscdd2.exe
netconfig.exe
desktop.exe
DNTUS26.EXE

Then delete them from C:\winnt\system32

Navigate to C:\winnt\, copy the following to the spyware folder:
SpyAgent4.exe

Then delete them.


Navigate to C:\winnt\System32\etc:
Copy these files to the spyware folder.
Wsock32.exe
G.exe
SS.exe
an.exe
World.exe
Mr.exe
b.b
Copy.exe
op.b
or.b
Won.exe
rfcg.ini
h1d.bat
ch.ex
x.bat
xx.bat

Then delete them from C:\Windows\System32.  If there's any other files there, tell me the filenames, otherwise, delete the directory.

Naviagate to c:\winnt\addins\data\inf\home\msi:
Copy all files to the spyware folder, then give me a list of what files were here.

Check the boxes next to the following items:
O4 - HKLM\..\Run: [Microsoft Synchronization Manager] syswin.exe
O4 - HKLM\..\Run: [Sysmon] msnmssgs.exe
O4 - HKLM\..\Run: [RealVNC Setup] C:\WINNT\SYSTEM32\fmenass.exe
O4 - HKLM\..\Run: [vbndfer] C:\WINNT\SYSTEM32\ghnbv.exe
O4 - HKLM\..\Run: [work] c:\winnt\system32\etc\WORLD.exe
O4 - HKLM\..\Run: [Configuration Loader] msgfy.exe
O4 - HKLM\..\Run: [bdffefqes32] C:\WINNT\SYSTEM32\bdfx.exe
O4 - HKLM\..\Run: [hghjAccess] cvvwwe.exe
O4 - HKLM\..\Run: [ICQMsn] C:\WINNT\SYSTEM32\cbfks.exe
O4 - HKLM\..\Run: [ICQ] syscdd2.exe
O4 - HKLM\..\Run: [Mozilla Firefox v0.901] netconfig.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NetworkStartup] net share IPC$ /delete /yes
O4 - HKLM\..\Run: [Secure] net share ADMIN$ /delete /yes
O4 - HKLM\..\Run: [Secure1] net share A$ /delete /yes
O4 - HKLM\..\Run: [Secure2] net share B$ /delete /yes
O4 - HKLM\..\Run: [Secure3] net share C$ /delete /yes
O4 - HKLM\..\Run: [Secure4] net share D$ /delete /yes
O4 - HKLM\..\Run: [Secure5] net share E$ /delete /yes
O4 - HKLM\..\Run: [Secure6] net share F$ /delete /yes
O4 - HKLM\..\Run: [Secure7] net share G$ /delete /yes
O4 - HKLM\..\Run: [Secure8] net share H$ /delete /yes
O4 - HKLM\..\Run: [Secure9] net share I$ /delete /yes
O4 - HKLM\..\Run: [Secure10] net share J$ /delete /yes
O4 - HKLM\..\Run: [Secure11] net share K$ /delete /yes
O4 - HKLM\..\Run: [Secure12] net share L$ /delete /yes
O4 - HKLM\..\Run: [Secure13] net share M$ /delete /yes
O4 - HKLM\..\Run: [Secure14] net share N$ /delete /yes
O4 - HKLM\..\Run: [Secure15] net share O$ /delete /yes
O4 - HKLM\..\Run: [Secure16] net share P$ /delete /yes
O4 - HKLM\..\Run: [Secure17] net share Q$ /delete /yes
O4 - HKLM\..\Run: [Secure18] net share R$ /delete /yes
O4 - HKLM\..\Run: [Secure19] net share S$ /delete /yes
O4 - HKLM\..\Run: [Secure20] net share T$ /delete /yes
O4 - HKLM\..\Run: [Secure21] net share U$ /delete /yes
O4 - HKLM\..\Run: [Secure22] net share V$ /delete /yes
O4 - HKLM\..\Run: [Secure23] net share W$ /delete /yes
O4 - HKLM\..\Run: [Secure24] net share X$ /delete /yes
O4 - HKLM\..\Run: [Secure25] net share Y$ /delete /yes
O4 - HKLM\..\Run: [Secure26] net share Z$ /delete /yes
O4 - HKLM\..\Run: [Srv32Win] C:\winnt\SpyAgent4.exe
O4 - HKLM\..\Run: [desktop] C:\WINNT\system32\desktop.exe
O4 - HKLM\..\RunServices: [Microsoft Synchronization Manager] syswin.exe
O4 - HKLM\..\RunServices: [Sysmon] msnmssgs.exe
O4 - HKLM\..\RunServices: [Configuration Loader] msgfy.exe
O4 - HKLM\..\RunServices: [ICQ] syscdd2.exe
O4 - HKLM\..\RunServices: [Mozilla Firefox v0.901] netconfig.exe
O4 - HKCU\..\Run: [Microsoft Synchronization Manager] syswin.exe
O4 - HKCU\..\Run: [Sysmon] msnmssgs.exe
O4 - HKCU\..\Run: [ICQ] syscdd2.exe
O4 - HKCU\..\Run: [Mozilla Firefox v0.901] netconfig.exe
O4 - HKCU\..\Run: [Configuration Loader] msgfy.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development LLC - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - Unknown owner - C:\WINNT\SYSTEM32\DWRCS.EXE (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINNT\svchost.exe (file missing)
O23 - Service: siService (Serv-U) - Unknown owner - c:\winnt\addins\data\inf\home\msi\siService.exe

Now press the "Fix Checked" button

Next, add everything in the spyware folder to a zip, with a password of "spyware", then send it to darkmageATsnet.net

Delete the folder, but save the zip file until I confirm I have it.

Empty the trash.

Reboot.
Download Avast! Antivirus, www.avast.com
Install Avast, preform a database update (Right click its icon in the tray, Updating, iAVS Update)
Then run a full scan.
Download The Cleaner, www.moosoft.com/products/cleaner/download/
Install it, and preform a system scan.  Remove whatever it finds.

Reboot again, run HiJack This again, and post a new log.
« Last Edit: February 26, 2005, 02:55:39 PM by devicenull »

February 26, 2005, 06:20:39 PM
Reply #7

LowCrawler

  • Reserved Slot
  • Onos

  • Offline
  • ***

  • 519
    • View Profile
thanks a whole lot pal, PM me when you need me on IRC or AIM...

i use yahoo but i can install AIM if i must.

im working on doing what you wrote so far.

February 26, 2005, 06:24:07 PM
Reply #8

devicenull

  • Legacy Admin
  • Marine

  • Offline
  • ****

  • 904
    • View Profile
Following those directions is pretty much what I'd have you do, I'd just give you a better way to give me directory listings
(dir /b >dir.txt) in dos, under the current directory

I'm on IRC now if you need help with any of it

February 27, 2005, 11:40:41 PM
Reply #9

SwiftSpear

  • Legacy Reserved
  • HA Marine

  • Offline
  • *****

  • 1161
    • View Profile
    • my site
dev/null, you are a god amoung men.
<------OOOooooOOOoo, Hyperlink!
Final Hope Faith, COME ONE COME ALL

February 28, 2005, 12:10:26 AM
Reply #10

Vinegar Ninja

  • Legacy Admin
  • Onos

  • Offline
  • ***
  • The one and only!

  • 701
  • Personal Text
    Now with 100% less angst!
    • STEAM_0:0:15737634
    • View Profile
heh, thanks to devnub, I know how to haxx0r up my schools computers. The mans crazy.

March 03, 2005, 09:27:31 AM
Reply #11

LowCrawler

  • Reserved Slot
  • Onos

  • Offline
  • ***

  • 519
    • View Profile
well we made the haxors angry.

after we cleaned out my system, with the help of the lovely devnull who is a great man,
i went to bed. The next day, i turned on my computer, and let it boot up and 0-o... steam didnt cmoe up..

so i click it.

and the desktop freezes.


so i do taskmanager.
and then the keyboard freezes...

so i start>run>taskmanager
and the start bar freezes.

my clock even stopped at this point.

so i reboot.
same story.

so i reload windows... and in the first few minutes of being on the interwab, because i was unable to have updated antivirus or windows update, my computer becomes haxord again.
so we're back at square one.


say lah vee