hi
have downloaded something that keeps getting files showing up on spybot-believe it was net ants downloaded manager. here is my hijackthis file. have deleted a couple of files, anything eles look suspicious. This v1.97.7
Scan saved at 1:51:19 AM, on 2/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\dp-k13w13.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\wpabaln.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8041.0878472222
troubles again
Started by
ronss
, Feb 25 2004 08:56 AM
5 replies to this topic
#2
Metallica
-
- Malware Experts
-
- 324 posts
One of the Best !
Posted 25 February 2004 - 09:16 AM
Hi ronss,
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
Then reboot and delete:
C:\Program File\INCREDIFIND <= entire folder
C:\Program Files\AutoUpdate <= entire folder
C:\Program Files\Common files\updater\wupdater.exe
Regards,
Pieter
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
Then reboot and delete:
C:\Program File\INCREDIFIND <= entire folder
C:\Program Files\AutoUpdate <= entire folder
C:\Program Files\Common files\updater\wupdater.exe
Regards,
Pieter
#3
ronss
-
- Active Members
-
- 29 posts
Active Member
Posted 25 February 2004 - 09:24 AM
pieter
thanks, thought there was a bunch of junk there. i tryed to un-install net ants , won,t let me. i,ll see what happens . later
thanks, thought there was a bunch of junk there. i tryed to un-install net ants , won,t let me. i,ll see what happens . later
#4
ronss
-
- Active Members
-
- 29 posts
Active Member
Posted 25 February 2004 - 09:41 AM
pieter
looks like it worked . i ran spypot and adaware , no entries this time. cannot uninstall net ants download manager, get message - missing entry win/32
-service run/dll. sort of odd why this software will not let me uninstall it from add/remove programs on win xp. anywhere i can delete this, would it be in the wind\system\32 files or regedit files???
looks like it worked . i ran spypot and adaware , no entries this time. cannot uninstall net ants download manager, get message - missing entry win/32
-service run/dll. sort of odd why this software will not let me uninstall it from add/remove programs on win xp. anywhere i can delete this, would it be in the wind\system\32 files or regedit files???
#5
Hunter
-
- General Admin
-
- 12,465 posts
The Flying Dutchman
Posted 25 February 2004 - 01:52 PM
QUOTE (ronss @ Feb 25 2004, 04:41 AM)
pieter
looks like it worked . i ran spypot and adaware , no entries this time. cannot uninstall net ants download manager,? get message - missing entry win/32
-service run/dll.? sort? of odd why this software will not let me uninstall it from add/remove programs on win xp. anywhere i can delete this, would it be in the wind\system\32 files or regedit files???
looks like it worked . i ran spypot and adaware , no entries this time. cannot uninstall net ants download manager,? get message - missing entry win/32
-service run/dll.? sort? of odd why this software will not let me uninstall it from add/remove programs on win xp. anywhere i can delete this, would it be in the wind\system\32 files or regedit files???
At which time i will give a suggestion for the future. When you finally get a hijacklog that appears to be clean of every thing you do not what on your PC..then save it as a baseline. Then when you run hijack again you can use it as a comparison.
Hijackthis is more a diagnostic tool than it is a removal tool when you download another program that has a spyware component in it that you do not want. :)
Authors of those programs many times have bundled in them those components to make their $$$. Uninstall them first (with add/remove) before your try to hack out the spyware and things will go easier for you.
Therefore, If you download a program on purpose or mistake..also keep first a copy of every thing you do have in the add/remove before that happens.
Then if you see in your new hijacklog something strange..First thing you SHOULD do is go to your add/remove and see if you have a new entry before you start using ADAWARE, SPYBOT S and D, or even your Hijackthis to clean.
If there is..then start asking around if it is sharware or contains spyware that you now see on the hijack log.
Use the add/remove first to get rid of the entire program. If you do not you will end up with problems uninstalling it.
One thing you could try in the furture is a free program called Total Uninstall. But this will not help you on your current problem. That is one reason most of us tell members to post their log before they start deleting entries.
***************************
Total Uninstall
OS: Win95, Win98, WinMe, WinNT, Win2000, WinXP.
Total Uninstall can help you to monitor any changes that were made to your system during installation of a new software product and allow you to perform a complete uninstall without having to rely on the supplied uninstall program (which may leave files or changes behind). To use it, you simply launch the installation program from the Total Uninstall interface and select the system areas to be monitored. The program will then create a snapshot of your system before it installs the new software and an additional snapshot after install completes. It then compares the two snapshots and displays all changes in a graphical tree view, marking all values and/or files that have been added or changed as well as some before/after details. Total Uninstall will save these changes and if you decide to uninstall the application, it will reverse all changes to the previous state.
http://www.geocities...s/projects.html
#6
Hunter
-
- General Admin
-
- 12,465 posts
The Flying Dutchman
Posted 25 February 2004 - 02:12 PM
But for your immediate problem you could try this...reinstall that NetANT again from the same place you found it..and then use the add/remove to get rid of it First. That might clear it all up since they do support this type of uninstall.
Here is some more information for you that will also help in the future.
******************
Here is a verry good review of all the download Managers if you really want one
Review of download managers
http://www.safer-net...wnload-managers
But for your NetAnts...
NetAnts (1.25, spyware-infected)
Not only that the NetAnts interface looks more complicated to use than most other tested download managers, it is infected with Cydoor.
http://www.safer-net...eats&detail=191
NetAnts 1.25
http://www.download....se-file-427.htm
NOTE:
Adware
These programs don't cost a penny. The developers support their programs by placing advertisements inside their programs. If you appreciate the work done by these dedicated authors, do them a favor and check out their sponsors. The majority of adware authors have advertisement-free versions of their software available for a small fee. The ads serve as a revenue source for the author, which allows them to stretch their program and update more frequently. A few companies are frequently associated with Adware programs
Here is some more information for you that will also help in the future.
******************
Here is a verry good review of all the download Managers if you really want one
Review of download managers
http://www.safer-net...wnload-managers
But for your NetAnts...
NetAnts (1.25, spyware-infected)
Not only that the NetAnts interface looks more complicated to use than most other tested download managers, it is infected with Cydoor.
http://www.safer-net...eats&detail=191
NetAnts 1.25
http://www.download....se-file-427.htm
NOTE:
Adware
These programs don't cost a penny. The developers support their programs by placing advertisements inside their programs. If you appreciate the work done by these dedicated authors, do them a favor and check out their sponsors. The majority of adware authors have advertisement-free versions of their software available for a small fee. The ads serve as a revenue source for the author, which allows them to stretch their program and update more frequently. A few companies are frequently associated with Adware programs
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
