Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #1  
Old February 9th, 2005, 04:16 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,084
IE redirect to msn.search and pc is slow.

Hello.
I ran Ad-Aware and SpyBot from safe mode, and they were able to eliminate a few hundred items, from Alexa to dialers to miners. No finds of Coolwebsearch running CWShredder. I did switch my friend's IE home page from www.puertorico.com to the default about:blank option - it was only being redirected to 72.20.25.206 before that, regardless of what was in the address bar. Couldn't get to Grisoft for AVG or TrendMicro for Housecall. I saved the Hijack log to floppy and am using my connection to send this (brought my friend's PC home but I only have one monitor and phone line). All suggestions will be appreciated - Boy Scout's honor I will follow whatever is outlined.

Logfile of HijackThis v1.99.0
Scan saved at 9:38:59 PM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\MDT.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\neomonap23.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\TOM UTIL 2-5\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\TOMUTI~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printra y.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
O4 - HKLM\..\Run: [REGRUN] C:\MDT.exe
O4 - HKLM\..\RunServices: [MOJNPluginSrIvcs] neomonap23.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\TOM UTIL 2-5\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O4 - Global Startup: Gateway.net 5.0 Tray Icon.lnk = C:\Gateway.net 5.0a\gwtray.exe
O4 - Global Startup: Organize Quick & Easy 5.0.lnk = C:\Program Files\Organize Quick & Easy 5.0\Organize.exe
O4 - Global Startup: Watch.lnk = C:\Program Files\DC Series 1\Console\Watch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Reply With Quote


  #2  
Old February 9th, 2005, 07:32 AM
Pancake Pancake is offline
CTH Subscriber
 
Join Date: Jan 2004
Location: Australia
Posts: 11,317
Hi
Run hjt and remove these items from the log....

O4 - HKLM\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
O4 - HKLM\..\Run: [REGRUN] C:\MDT.exe
O4 - HKLM\..\RunServices: [MOJNPluginSrIvcs] neomonap23.exe
O4 - HKCU\..\Run: [MOJNPluginSrIvcs] neomonap23.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1057.dll,InstantAccess
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


In safe mode delete these files from your drive ,also go into HijackThis->Config->Misc. Tools->Open process manager. Select the EXE and click Kill process if listed.
C:\WINDOWS\System32\neomonap23.exe
EGDACCESS_1057.dll
C:\MDT.exe
Reply With Quote
  #3  
Old February 10th, 2005, 11:08 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 52,084
Thanks. Did what you suggested. Those ideas on removing HKCU Control Panel and Restrictions registry entries made sense as soon as you pointed them out. Had to give him his pc back due to work schedules. Grateful.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 11:00 AM.