Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

Schadenfroh · Nov 12, 2004

Hello cohenfive,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O1 - Hosts: .com
O1 - Hosts: .com
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - (no file)
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - (no file)
O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\Owner\LOCALS~1\Temp\itnaagv.dat
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [*vgaanti] C:\WINDOWS\Help\starter\vgaanti.exe
O4 - HKLM\..\RunOnce: [*vgaanti] C:\WINDOWS\Help\starter\vgaanti.exe rerun
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\RunOnce: [*WinLogon] C:\DOCUME~1\Owner\LOCALS~1\Temp\bkinst.exe ren time:1100300117
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.c....com/prod/install.html

cohenfive · Nov 13, 2004

Originally posted by: Schadenfroh
Hello cohenfive,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: com

O1 - Hosts: com

O1 - Hosts: .com

O1 - Hosts: .com

O1 - Hosts: .com

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - (no file)

O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} - (no file)

O2 - BHO: CATLEvents Object - {ED5ABC42-8E4F-4C39-9972-F0CF619D672F} - C:\DOCUME~1\Owner\LOCALS~1\Temp\itnaagv.dat

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove

O4 - HKLM\..\Run: [*vgaanti] C:\WINDOWS\Help\starter\vgaanti.exe

O4 - HKLM\..\RunOnce: [*vgaanti] C:\WINDOWS\Help\starter\vgaanti.exe rerun

O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc

O4 - HKCU\..\RunOnce: [*WinLogon] C:\DOCUME~1\Owner\LOCALS~1\Temp\bkinst.exe ren time:1100300117

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - <a target=_blank class=ftalternatingbarlinklarge href="https://components.viewpoint.c....com/prod/install.html">https://components.viewpoin....../prod/install.html</a>

ok, followed your instructions exactly but have one big problem....one of the entries, the one i was most worried about which constantly runs in the background and ties up the pc's resources, will not go away. i 'fixed' the following in hijackthis repeatedly but it's still there, not sure how that is. when i check my task manager i still have 53 processes running including the dreaded 'vgaanti.exe'....

04_HKLM\..\RunOnce: [*vgaanti] C:\WINDOWS\Help\Starter\vgaanti.exe rerun

any suggestions? i may also post a seperate thread on this.

Schadenfroh · Nov 13, 2004

get rid of it

cohenfive · Nov 13, 2004

Originally posted by: Schadenfroh
get rid of it

sorry for being dense, but how would you suggest i get rid of it? thanks..

Schadenfroh · Nov 13, 2004

Originally posted by: cohenfive

Originally posted by: Schadenfroh
get rid of it

Click to expand...

sorry for being dense, but how would you suggest i get rid of it? thanks..

check the other thread. this thread may help

df96817 · Nov 13, 2004

Logfile of HijackThis v1.98.2
Scan saved at 2:17:22 PM, on 11/13/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\SpybotSD\TeaTimer.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SpybotSD\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\SpybotSD\TeaTimer.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1098427568328

Schadenfroh · Nov 13, 2004

hello df96817

your log looks clean

df96817 · Nov 13, 2004

Thanks much

Battousai001 · Nov 14, 2004

Hi! I would like to ask for some assitance regarding
Hijackthis. My problem is not that quite big but Im
just quite paranoid and skeptical about my newly
installed windows XP Pro.

Here's my story:
I had my PC installed with Windows XP Pro on my school
(they offer software installation service of licensed
softwares) So I availed of the service and had my pc
installed with WinXP Pro and other application like
Antivirus Trend Micro OfficeScan. When Im about to
pick up the CPU from the IT Office of my school I saw
bunch of viruses and worms detected and I reported it
to the IT personnel, I dont know if they removed it
but I just ignored it and decided to just remove it
myself when I get home. When Im about to clean my
"newly" installed OS, I cant removed the viruses with
the installed antivirus (Office Scan Corporate
Edition) so what I did is that I downloaded other
antivirus and just deleted the files that are
infected. Because of that incident I started to think
that maybe the IT personnel installed (on purpose)
malicious softwares like malwares that could send
infos from my computer to the schools server. I
already installed plenty of anti-spyware,
anti-malware and anti-virus on my system to ensure
that it is clean. Its been almost a month since that
time and my warfare against these nasty stuff has yet
to be finished due to my final worry about those IT
personnel getting infos from my PC... BTW before I
brought my CPU for installation the IT personnel
required me to format my hard drive (that means it is
clean when I brought it and have it installed) And
that all the worms, malwares and viruses came from my
school's network (or installed by the IT personnel)

All of the anti-spyware, anti-virus, anti-malware
already celaned up my system but sometimes Spy
Sweepwer detects Spyware that keeps coming back
(specifically Cydoor and Websearch toolbar)

Im running SP2 already nad here are the anti-spyware, anti-malware, firewall and anti-viruses that are currently installed on my system:

- Ad-Aware
- Spybot search and destroy
- Avast Antivirus
- AntiVir
- Zone Alarm
- SpySweeper
- Spywarebalster
- Trend Micro Officescan

This is my Hijackthis log file:

Logfile of HijackThis v1.98.2
Scan saved at 12:15:43 AM, on 11/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE <--- I think this is for the printer
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE <--- I think this is for the printer
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE <---- This is AntiVir
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe <---- This is OfficeScan
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe <---- This is OfficeScan
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\TEMP\XZEDE3.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\carpserv.exe <--- My modem
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Documents and Settings\admin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1096954996712
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: Domain = csb.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: NameServer = 172.16.202.11,10.8.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{459D2BB9-AA6F-4F60-BB10-EC7DFE26DEEC}: NameServer = 202.81.160.6 202.81.160.7

Schadenfroh · Nov 14, 2004

hello Battousai001

i doubt the IT people intentionally put malware on your computer. What is a more likely case is that people bringing their laptops from home and plugging them in behind the firewall is causing the worms to be broadcasted in behind your schools firewalls. Window's machines that are not up-to-date with all the updates from microsoft to plug security holes do not help the situation either. If your school is using something to monitor your activities, they are not going to use something that would be classified as malware that the antivirus/spyware scanners would pick up, for example, my school uses WinVNC.

as for your malware infection, there are reasons that it could be returing.

1st. You have flashget installed, flashget installs cydoor, similar to kazaa media desktop in that respect. See PepiMK's review of download managers.

2nd. System Restore allows malware to return

3rd. Machine has not updated through windows update for a while

4th. security software is not up to date (antivirus, antispyware, firewall, etc.)

Follow the following instructions to remove the malware,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:

3.Restart into normal windows

Notes

1. see my Guide to Malware Prevention

Tri335 · Nov 15, 2004

Hopefully someone will have a solution to this
problem:

For 3 days now my laptop has had a problem with
explorer. It's running Windows 2000 Workstation Pro,
and for some reason I can't open any type of folder
from my desktop or listing. This only happens with
the folders, such as My Computer, My Documents,
Search, etc., as I am still able to run programs.
When I click on an icon such as My Computer, I get an
explorer error message that reads:

"Program Error: Explorer.exe has generated errors and
will be closed by windows etc etc"

Once this happens, the desktop will go completely
blank of icons and task bar as if it's refreshing
itself, and then magically everything will appear
again in a matter of seconds.

I've ran AVG, Spy Sweep, and Adaware with no luck.
None of them are picking up anything, so I'm clueless
as to what the problem is. I took a hijack this scan
and got the following log:

Logfile of HijackThis v1.97.7
Scan saved at 4:46:07 PM, on 11/13/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\PRISMSTA.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common
Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\OLYMPUS\CAMEDIA Master
4.1\CM_camera.exe
C:\WINNT\system32\ntvdm.exe
C:\Program Files\America Online 7.0\waol.exe
C:\WINNT\sllights.exe
C:\Program Files\mIRC\mirc.exe
C:\WINNT\explorer.exe
C:\Documents and
Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.findin.org/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat
5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7}
- C:\WINNT\system32\mspxs32.dll
O2 - BHO: (no name) -
{193FF3B5-F2EC-7143-05A3-086AA5519855} -
C:\WINNT\sysmg.dll (file missing)
O2 - BHO: (no name) -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: (no name) -
{EA7FA13F-CB5D-4478-ADD9-4627A31B539C} -
C:\WINNT\system32\fih.dll
O2 - BHO: (no name) -
{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
C:\WINNT\System32\msbe.dll
O3 - Toolbar: &Radio -
{8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) -
{ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Google -
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager]
mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck]
C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC]
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [Window Washer] C:\Program
Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program
Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program
Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mov: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.tl81.com
O15 - Trusted Zone: *.windupdates.com
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F}
(Update Class) -
http://v4.windowsupdate.micros...l.CAB?37419.4133796296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com...cabs/flash/swflash.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{C5F5B308-DBDA-4FCF-84C0-6052FF86AC15}:

Any help would be greatly appreciated, since no one
else seems to know what my problem is. : (

cohenfive · Nov 15, 2004

Originally posted by: Schadenfroh

Originally posted by: cohenfive

Originally posted by: Schadenfroh
get rid of it

Click to expand...

sorry for being dense, but how would you suggest i get rid of it? thanks..

Click to expand...

check the other thread. this thread may help

killed it with killbox. not sure why i still have 50 processes running but the pc's performance is back to where it should be....

one last question--should i keep the system restore function off permanently or put it back on once i've cleaned everything? i plan on redoing this periodically now and will continue to run adaware and spybot weekly after our automatic scan with norton runs...

thanks for all the help, i think i've learned a couple of good tricks here...

Battousai001 · Nov 15, 2004

Originally posted by: Schadenfroh
hello Battousai001

i doubt the IT people intentionally put malware on your computer. What is a more likely case is that people bringing their laptops from home and plugging them in behind the firewall is causing the worms to be broadcasted in behind your schools firewalls. Window's machines that are not up-to-date with all the updates from microsoft to plug security holes do not help the situation either. If your school is using something to monitor your activities, they are not going to use something that would be classified as malware that the antivirus/spyware scanners would pick up, for example, my school uses WinVNC.

as for your malware infection, there are reasons that it could be returing.

1st. You have flashget installed, flashget installs cydoor, similar to kazaa media desktop in that respect. See PepiMK's review of download managers.

2nd. System Restore allows malware to return

3rd. Machine has not updated through windows update for a while

4th. security software is not up to date (antivirus, antispyware, firewall, etc.)

Follow the following instructions to remove the malware,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:

FlashGet

Cydoor

3.Restart into normal windows

Notes

1. see my Guide to Malware Prevention

Thanks! I'll get rid of Flashget.. I thought Flashget is more cleaner than Download Accelerator.. Anyways how will I know if my school's IT personnels isn't spying or monitoring me? These entries is kinda suspicious:

O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: Domain = csb.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: NameServer = 172.16.202.11,10.8.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{459D2BB9-AA6F-4F60-BB10-EC7DFE26DEEC}: NameServer = 202.81.160.6 202.81.160.7

The "csb.edu" entry there is my school, plus the NameServer stuff is also quite suspicious.. what would you suggest? Hijackthis indicated this as "Windows uses several registry values as a help to resolve domain names into IP addresses. Hijacking these values can cause all programs that uses the internet to be redirected to other pages for seemingly other reasons. New version of Lop.com use this method, together with a (huge) list of cryptic domains." That is what Hijackthis indicated for this entry...

Do you think that IT personnel are montirong my activities? I also caught up information being sent from my system to the school's network via Zone Alarm during the first time I installed a firewall and before I installed anti-spyware and malware...

I also would like to ask how to totally clean my system? is there a good Hijackthis configuration? what I mean is what supposed to be are the things that are running on a clean system when you run Hijackthis? And lastly what other entries do I have to fix in order to get a clean running system?

Thanks!

Schadenfroh · Nov 15, 2004

Battousai001

The "csb.edu" entry there is my school, plus the NameServer stuff is also quite suspicious.. what would you suggest?

keep it, your net connection may get screwy if you fix it and it would undo the work your IT people did on it.

Do you think that IT personnel are montirong my activities?

most likely they monitor everyone

I also caught up information being sent from my system to the school's network via Zone Alarm during the first time I installed a firewall and before I installed anti-spyware and malware...

most likely spyware trying to connect to their advertisers servers, like i said, i doubt your IT people has put backdoor trojans on your pc to monitor you.

I also would like to ask how to totally clean my system?

slipstream windows xp sp2 (with all the security updates) onto a windows xp install cd and then format your computer and install windows xp with sp2 and all the hotfixes on it before connecting to the network.

is there a good Hijackthis configuration? what I mean is what supposed to be are the things that are running on a clean system when you run Hijackthis?

many non malicious things are displayed in hijackthis, it is a manual tool and thus shows everyting. try sysinfo to look up specific entries.

And lastly what other entries do I have to fix in order to get a clean running system?

if you followed my instructions, it is clean of malware, if you want some extra performance by removing non neccessary items, then you might want to see the performance guide on www.schadentech.com

Schadenfroh · Nov 15, 2004

cohenfive

one last question--should i keep the system restore function off permanently or put it back on once i've cleaned everything?

you can turn it back on, but create a new restore point that is of the clean system.

not sure why i still have 50 processes running but the pc's performance is back to where it should be...

many of that is windows services, see the performance guide on www.schadentech.com for info on what you can disable in order to reduce these proccesses.

Schadenfroh · Nov 15, 2004

Hello Tri335,

Before you do anything
1. You are running an old version of hijackthis, upgrade to HijackThis 1.98.2 and repost your log after you follow the following steps.
2. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

R1 - HKCU\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
http://www.findin.org/
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: BHO - {06CAD548-14DD-4fa3-9EA9-05F83C18CBD7}
- C:\WINNT\system32\mspxs32.dll
O2 - BHO: (no name) -
{193FF3B5-F2EC-7143-05A3-086AA5519855} -
C:\WINNT\sysmg.dll (file missing)
O2 - BHO: (no name) -
{EA7FA13F-CB5D-4478-ADD9-4627A31B539C} -
C:\WINNT\system32\fih.dll
O2 - BHO: (no name) -
{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -
C:\WINNT\System32\msbe.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32
C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.tl81.com
O15 - Trusted Zone: *.windupdates.com

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:

New.NET

3. Restart into normal windows

Notes

1. Please update to the latest version of HJT and repost log when complete.

sugardawl · Nov 16, 2004

Everytime I try to delete People On Page it always comes back Any suggestions??

Logfile of HijackThis v1.98.2
Scan saved at 10:08:35 AM, on 11/16/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\fwctray.exe
C:\WINDOWS\system32\gcdise.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\hijack\hijackthis1982.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\CxtPls.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AutoPlay] C:\HP\BIN\AUTOPLAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [t77i3tP] fwctray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\vernn16.dll
O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\kvern16.dll
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [cwosRjj3V] gcdise.exe
O4 - Startup: Semagic.lnk = C:\Program Files\Semagic\LiveJournalU.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?

People On Page

Battousai001 · Nov 16, 2004

Thanks Schadenfroh! but I still have additional questions below:

Originally posted by: Schadenfroh
Battousai001

O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: Domain = csb.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: NameServer = 172.16.202.11,10.8.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{459D2BB9-AA6F-4F60-BB10-EC7DFE26DEEC}: NameServer = 202.81.160.6 202.81.160.7

The "csb.edu" entry there is my school, plus the NameServer stuff is also quite suspicious.. what would you suggest?

Click to expand...

keep it, your net connection may get screwy if you fix it and it would undo the work your IT people did on it.

But what if Im already using a different internet connection and Im no longer using the school's ISP, do I still have to keep those entries?

what are does those entries for? are those for my connection to my school's isp? if it is, is it safe to just remove (fix) those entries?

Do you think that IT personnel are montirong my activities?

most likely they monitor everyone

Can I do something in order for them not to be able to monitor me? in other words, totally disconnect my system from their monitoring?

I also would like to ask how to totally clean my system?
slipstream windows xp sp2 (with all the security updates) onto a windows xp install cd and then format your computer and install windows xp with sp2 and all the hotfixes on it before connecting to the network.

Is it also possible to slipstream windows xp pro itself? what I mean is that if I dont have the installer of winxp and I wanted to reinstall xp can I slipstream copy xp pro and reinstall it?

And what exactly is slipstream?

Sultan · Nov 16, 2004

Logfile of HijackThis v1.97.7
Scan saved at 12:56:51 PM, on 11/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\ls0210\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = vrffirewall:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A78860C8-EE1A-46DF-A97F-E3E6D433E80B} - C:\WINDOWS\system32\zt803.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust\InoculateIT\realmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [8lmw3o7.exe] C:\WINDOWS\System32\8lmw3o7.exe /k
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Ebates (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/.../msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...sPAClient.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/...neSweeper.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/w...LControl_v1-0-3-12.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/...atsClient.cab31267.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Medi...itorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/downl...gerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/...ry/ZIntro.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...uite/yautocomplete.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/.../Bankshot.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.c...cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qsii.webex.com/client/...ebex/webex/ieatgpc.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/...eShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VRF.cc
O17 - HKLM\Software\..\Telephony: DomainName = vrf.cc
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VRF.cc
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VRF.cc

Please help me clean my system

Schadenfroh · Nov 16, 2004

Battousai001

But what if Im already using a different internet connection and Im no longer using the school's ISP, do I still have to keep those entries?

if you are no longer on your schools network, you can remove it, just be sure you have winsockfix on your computer just in case.

Can I do something in order for them not to be able to monitor me? in other words, totally disconnect my system from their monitoring?

as long as you are plugged into their network, it is possible for them to monitor you.

Is it also possible to slipstream windows xp pro itself? what I mean is that if I dont have the installer of winxp and I wanted to reinstall xp can I slipstream copy xp pro and reinstall it?

And what exactly is slipstream?

Text

Schadenfroh · Nov 16, 2004

Hello sugardawl and welcome to the forums,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\CxtPls.dll
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [t77i3tP] fwctray.exe
O4 - HKCU\..\Run: [vernn16.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\vernn16.dll
O4 - HKCU\..\Run: [kvern16.dll] C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\kvern16.dll

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:

3.Restart into normal windows

Schadenfroh · Nov 16, 2004

Sultan

you are running an old version of HJT, please update to 1.98 and repost the log

Battousai001 · Nov 17, 2004

Originally posted by: Schadenfroh
Battousai001

But what if Im already using a different internet connection and Im no longer using the school's ISP, do I still have to keep those entries?

Click to expand...

if you are no longer on your schools network, you can remove it, just be sure you have winsockfix on your computer just in case.

Text

Yup! Im no longer connected with my school's network... so I think Im going to delete the entries, but is these entries also included:

O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: NameServer = 172.16.202.11,10.8.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{459D2BB9-AA6F-4F60-BB10-EC7DFE26DEEC}: NameServer = 202.81.160.6 202.81.160.7

aside from the entry:

O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: Domain = csb.edu

And what is winsockfix? and one final question, what other entries do I have to fix to attain a clean and fast loading system with the only essentials being run?

Heres my logfile again (havent cleaned yet from flashget infestation):

Logfile of HijackThis v1.98.2
Scan saved at 11:27:16 PM, on 11/15/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\admin\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CARPService] carpserv.exe <--- I think this is for the modem
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" <--- Im planning on removing Zone Alarm and replace it with Keiro...
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe <-- Whats this?
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe <--- is this important?
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1096954996712
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab <-- whats this for? Can I remove this?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab <--- Can I remove this?
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: Domain = csb.edu <---- This is the setting made by the IT people from my school (which Im going to "Fix")
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A09DE7-41D8-44BF-879B-FF6E4C4A92F2}: NameServer = 172.16.202.11,10.8.2.2 <----- Is this also included on the network setting set by the IT people?
O17 - HKLM\System\CCS\Services\Tcpip\..\{459D2BB9-AA6F-4F60-BB10-EC7DFE26DEEC}: NameServer = 202.81.160.6 202.81.160.7 <----- Is this also included on the network setting set by the IT people?

Thanks so much Schadenfroh for the patience..

Schadenfroh · Nov 17, 2004

And what is winsockfix?

it is an easy way to repair broken internet connection.

what other entries do I have to fix to attain a clean and fast loading system with the only essentials being run?

see my Guide to Free Performance, pay close attention to the links about services and boot up times.

munchydoan · Nov 17, 2004

Something tells me I'm filthy:
Logfile of HijackThis v1.98.2
Scan saved at 3:17:32 PM, on 11/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\bentaa\beremote.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
D:\FIREFOX\FIREFOX.EXE
D:\CWShredder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.co.../ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.co.../ie/defaults/sp/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.co.../ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.co.../ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.co.../ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.co.../ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.co.../ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBS at UMKC
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\lexbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINNT\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ScreenPrint32] F:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdl...cabs/FPDC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/15...QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/14ea33673...19/netzip/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cam.thesandbar.com/activex/AxisCamControl.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/downloa...lls/yse/ymmapi_416.dll
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320.../PulsePlayer5AxWin.cab
O16 - DPF: {C54A28A1-5EBF-11D5-9F0E-00A0C99A7357} (SpeedCtl Class) - http://iweb.intertainer.com/eod/downloads/SpeedTest.dll
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.co...ols/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kc.umkc.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3CAA5A8-D0AC-432C-861E-12C8D95D7956}: NameServer = 134.193.1.2,134.193.83.4
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kc.umkc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kc.umkc.edu

Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

Elite Member

Senior member

Elite Member

Senior member

Elite Member

Member

Elite Member

Member

Senior member

Elite Member

Junior Member

Senior member

Senior member

Elite Member

Elite Member

Elite Member

Junior Member

Senior member

Banned

Elite Member

Elite Member

Elite Member

Senior member

Elite Member

Member