Solved

680180.net Hijack help

Posted on 2004-08-05
7
2,531 Views
Last Modified: 2013-12-04
I ahev ran Adaware, Spybot, and Trend Micro's products to clean this system over and over again and each time I reboot it comes back. Any hel or suggestions would be greatly appreciated. Here is the Mijckthis log

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\OfficeScan NT\ntrtscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\OfficeScan NT\ofcdog.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\goidr.exe
C:\WINNT\system32\keyword.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\RUNDLL32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\SCANJET\PrecisionScan\hpppt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\administrator.TOF\Desktop\HijackThis1980.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SDWin32 Class - {13672C82-7E3F-417B-9087-878F35A80903} - C:\WINNT\system32\nstro.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [nstroc] C:\WINNT\system32\nstroc.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINNT\system32\keyword.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Parallel Port Test.lnk = C:\SCANJET\PrecisionScan\hpppt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TOF
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TOF
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TOF
O20 - AppInit_DLLs: NVDESK32.DLL
0
Comment
Question by:kevinlw1974
  • 4
  • 2
7 Comments
 
LVL 65

Accepted Solution

by:
SheharyaarSaahil earned 500 total points
ID: 11730382
Hello kevinlw1974 =)

First Download these tools and install Adaware and Spybot:
========================================================
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
ToolBar Cop >> http://www.mvps.org/sramesh2k/toolbarcop.htm
Stinger >> http://vil.nai.com/vil/stinger
========================================================
then TURN OFF UR SYSTEM RESTORE >> http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
then fix the following entries in hijakchtis !!

========================================================
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - (no file)
O2 - BHO: SDWin32 Class - {13672C82-7E3F-417B-9087-878F35A80903} - C:\WINNT\system32\nstro.dll
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [nstroc] C:\WINNT\system32\nstroc.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\system32\stcloader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [version] C:\WINNT\system32\manage.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINNT\system32\keyword.exe
====================================================================
then.....

1. Restart ur machine
2. Boot into safemode and Login as Administrator
3. Run the AntiVirus tool and delete all viruses it found
4. Run the Spyware Removal tools and delete everything they detect
5. Then goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
7. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
8. Reboot back in Normal Mode and check if problems are gone
9. If YES then Great, otherwise Create a New user and check there for the popups problems..... post back the results !!

!! Good Luck !!
0
 

Author Comment

by:kevinlw1974
ID: 11730946
Thanks...I am trying that now.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11730953
hmmmmmmm, good luck  :)
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:kevinlw1974
ID: 11731549
Thanks that worked. That was driving me crazy and saved me a rebuild.
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11731590
great ^_^
0
 
LVL 21

Expert Comment

by:pinaldave
ID: 11744634
hello SheharyaarSaahil
Your answers are wonderful . I refer them so much. You are true genious. I usually contribute in the area of ColdFusion.
Regards,
---Pinal
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 11747025
thanx Pinal for these kind words =)
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In a recent question (https://www.experts-exchange.com/questions/28997919/Pagination-in-Adobe-Acrobat.html) here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question