Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

Page 12 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Fatdog

your log is clean and

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
Click to expand...

is normal. it is standard on all computers.
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Originally posted by: Fatdog
Originally posted by: Schadenfroh
Fatdog

your log is clean and

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
Click to expand...

is normal. it is standard on all computers.
Click to expand...

Roger that, thanks for looking. :thumbsup:

BriGy86

Try Black Vipers site, it work very well for me.
Click to expand...

already sent him that and sysinfo's startup list guide in a private message, great site
 
S

suzee401

Junior Member
Sep 22, 2004
7
0
0
yes - i would like to ge rid of anything that isn't necessary - especially if it will free some memory up because lately i keep getting the paging notice - -
here is my new log:

---------------------
Logfile of HijackThis v1.97.7
Scan saved at 9:07:53 PM, on 9/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\shpc32.exe
C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\?hkdsk.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\jackinthebox\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.projo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.projo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {398C3479-916A-69C4-DA53-10550B832110} - C:\WINDOWS\System32\civ.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [xkstartup] RunDll32 insxk50c.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Njnvrnc] C:\WINDOWS\System32\?hkdsk.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/app...perbingo-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/appl...reenback-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/apple.../mahjong-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/app...terwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet.../flinger-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5...fu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/app...uelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game5.pogo.com/applet-5...ks/peaks-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/app...hackdown-ob-assets.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.co...es/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.co...s/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com...e/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/...901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol125.pogo.com/game/de...ma/popcaploader_v5.cab

 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
suzee401

the following should be safe to remove for the purpose of speeding things up. Reboot into safemode via F8 to remove. remember that hijackthis creates backups of these, just incase you need to restore them.

O2 - BHO: (no name) - {398C3479-916A-69C4-DA53-10550B832110} - C:\WINDOWS\System32\civ.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (REQUIRED FOR SOME FEATURES OF MICROSOFT MONEY
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/app...perbingo-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/appl...reenback-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/apple.../mahjong-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/app...terwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet.../flinger-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5...fu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/app...uelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game5.pogo.com/applet-5...ks/peaks-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/app...hackdown-ob-assets.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.co...es/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.co...s/clients/y/potc_x.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol125.pogo.com/game/de...ma/popcaploader_v5.cab

Use Spybot's Startuplist to "uncheck" the following, so they can very easily be renabled if needed:

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE REMOVE ONLY IF YOU DO NOT USE THE NONSTANDARD KEYS ON YOUR KEYBOARD
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe Quick access to the control panel via a System Tray icon for graphics from intel
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe REMOVE ONLY IF YOU DO NOT USE THE NONSTANDARD KEYS ON YOUR KEYBOARD
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h REENABLE IF YOU HAVE ISSUES WITH YOUR SCANNER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe REENABLE IF YOU HAVE ISSUES WITH YOUR INTERNET CONNECTION
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run REENABLE IF YOU HAVE ISSUES WITH YOUR INTERNET CONNECTION
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background IF YOU WANT MSN MESSANGER STARTING WITH WINDOWS, LEAVE IT ENABLED
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe REMOVING THIS MIGHT INTERFERE WITH NOTIFICATIONS ABOUT QUICKBOOKS

VIRUS FOUND BELOW
use hijackthis to fix and then use windows explorer to delete the following.
O4 - HKCU\..\Run: [Njnvrnc] C:\WINDOWS\System32\?hkdsk.exe
 
B

Bluto

Senior member
Oct 9, 1999
200
0
0
Hi Shadenfroh.....


Here is my latest HijackThis log:
--------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 9:36:30 PM, on 9/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Anti Scumware programs\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answerway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.answerway.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answerway.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yi...t/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yi...applet/v45/yacscom.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...uite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1739A3F2-60BE-4B16-AD0A-91D176FC4C0D}: NameServer = 207.69.188.187 207.69.188.186
--------------------------------------------------------------------------------------------------------------------------


I have downloaded Ad-Aware SE version....updated it....and run it in safe mode. I have run Hijack This two more tmies since my last post. I have run several other spyware killers too and I STILL have the same problem! arrrgh

This is unbelievable......lol.

I DID find out soem information on that "pl.exe" program I mentioned in one of my first posts. I found a file called: "x.htm". I renamed it as a text file, opened it with notepad so I could see what it contained and this is the contents:

<html><body onload="window.close()"><object classid="clsid:11111111-1111-1111-1111-111111111732" codebase="file://c:/progra~1/pl.exe"></object></body></html>

Maybe you can help me figure out what the heck this thing is I have, and maybe it will help others too. I'm almost ready to calla priest to exorcise this thing!

Anyway....I hope you have soem more ideas.....and if you don't I will send this file to the "spywareinfo" link you mentioned a day ago or so.

Thank you for your help!

bluto
 
G

grimmie

Banned
Sep 23, 2004
27
0
0
Originally posted by: ViciouS
What do you guys think of Mozilla? Is it a better option than IE? Seems to have less holes, nice pop up blocker. Seems more secure, I've been getting less spyware with it.<BR><BR><BR>Mozilla Firefox
Click to expand...


it's the best, most standards compliant web browser
yes
it does
yes, it is
of course

 
S

suzee401

Junior Member
Sep 22, 2004
7
0
0
I had that same file on my puter - i deleted it and then went into safe - deleted a ton of other stuff (see directions from the answers to my posts) and it went away - not sure if this will help - but if you're already on to exorcism - it might be worth a try. Remember back in the old days when all we had to ask was - are the cables connected? - lol~
 
S

suzee401

Junior Member
Sep 22, 2004
7
0
0
thanks for all of the great info - i found that virus on there and it kept coming back - it seems to be gone now. Thanks for the help with my logs! You're the best
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Originally posted by: grimmie
Originally posted by: ViciouS
What do you guys think of Mozilla? Is it a better option than IE? Seems to have less holes, nice pop up blocker. Seems more secure, I've been getting less spyware with it.<BR><BR><BR>Mozilla Firefox
Click to expand...


it's the best, most standards compliant web browser
yes
it does
yes, it is
of course
Click to expand...

that is why it is mentioned in the prevention guide, part of the site linked in the Original post
 
B

Bluto

Senior member
Oct 9, 1999
200
0
0
suzee....

Thanks....if you were, in fact, talking to me but I don't want to go deleting a bunch of things that I don't know about. I'm hoping shadenfro will take a look at my post above and tell me what the scoop is!


 
K

KavinCross

Junior Member
Sep 21, 2004
24
0
0
Thanks Shadenfroh, I got to follow thru the worklist you sent. There were a few files in the list that werent there, but the system doesnt have popups anymore and i dont feel any performance loss from it under certain apps. Ill keep a watchfull eye on it for the next few days.

Man thanks just doesnt go far enough. You are simply "The MAN!"
 
B

BriGy86

Diamond Member
Sep 10, 2004
4,538
1
91
heres the log for my lap top at school

Logfile of HijackThis v1.98.2
Scan saved at 11:05:21 AM, on 9/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Altiris\AClient\AClient.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Altiris\AClient\AClntUsr.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\petbrip\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.100.1.2:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.dunwoody.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [AClntUsr] C:\Altiris\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &amp;Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/022554c10efcb88e5e19/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1093014450081
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dunwoody.tec.mn.us
O17 - HKLM\Software\..\Telephony: DomainName = dunwoody.tec.mn.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dunwoody.tec.mn.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dunwoody.tec.mn.us
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Originally posted by: Bluto
suzee....

Thanks....if you were, in fact, talking to me but I don't want to go deleting a bunch of things that I don't know about. I'm hoping shadenfro will take a look at my post above and tell me what the scoop is!
Click to expand...

bluto, i sent you my final solution to you via PM, im out of ideas, post on adaware or spywareinfo or both about it, let me know how they fix it (if they can)
 
B

Bluto

Senior member
Oct 9, 1999
200
0
0
Hi shadenfroh.....

Thanks for the return note.

I *just* posted a note and a couple LOG files to spyware. I looked over their site, tried a couple things they suggested, but most did not work for me. For instance; I tried to search and find *.hta &amp; *.js files. I found two *.hta files and 44 *.js files. I was able to delete the htsa's, but was only able to delete a couple of the js files. Many appear to be buried in *.cab (cabinet) files and cannot get to them. I tried gettting at tem from a 'cmd' prompt, but my DOS is so rusty that I gave up typing out directory after directory.....<sigh>.

Anyway...I still have the problem......I think I've wounded it tho, but the main parent is still out there lurking about.

OH.....hre's another thing that I have found....and mayeb otehrs can use this info. THIS particular pain-in-the-*@$ that's I'm plagued with has the ability to limit or at least mess with my ability to do 'searches' on my hard drive. It will either lock it up so it won't work, or I think it just won't search everywhere it's set to. I don't know if this work-around has helped, but I have been using wildcard characters in my searches......for instance......if I were to look for the file "pl.exe".....I'd call it "pl.?x?, or "?l.exe.....something like that.

Also......I don't know if this has helped at all or not either, but when I log into SAFE MODE I get two ways to login.....my normal login, and administrator. I have been trying Administrator thinking the 'scum' will be less likely to 'recognize' me and I may be able to work more freely. Don't know if that's true, but if it helps smoeone....then great.

Man this stuff is a HUGE pain, but I THANK YOU for all your help and ideas. I will send you any other things I run across, and if I find uot what caused this I will post that to you too.

 
B

BriGy86

Diamond Member
Sep 10, 2004
4,538
1
91
Originally posted by: Schadenfroh
Hello BriGy86,

Your log appears clean! congrats
Click to expand...

both of them?

the 1st one i posted (page 14) was from my home computer

the second log i posted (page 15) was from my lap top that i use at school

and thank you for taking a look
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Originally posted by: BriGy86
Originally posted by: Schadenfroh
Hello BriGy86,

Your log appears clean! congrats
Click to expand...

both of them?

the 1st one i posted (page 14) was from my home computer

the second log i posted (page 15) was from my lap top that i use at school

and thank you for taking a look
Click to expand...

your laptop, taking a look at the page 14 one now.
 
P

paulee

Member
Aug 12, 2001
128
0
0
Shadenfroh:

This is a log of my gf's laptop:

Logfile of HijackThis v1.97.7
Scan saved at 10:25:01 AM, on 9/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\inetwh32.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Anna's Files\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qdbaclpoof.net/A9X2...MQL4hebGeoeS_EE1j.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1B36742B-6065-F71B-C8F3-75AE7F372FD6} - C:\PROGRA~1\WAVEWM~1\roadbolt.exe
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [IVPServiceMgr] C:\toshiba\ivp\ism\ivpsvmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bonecdrom] C:\PROGRA~1\REALGR~1\KeepBeep.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [inetwh32] C:\WINDOWS\system32\inetwh32.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &amp;Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab


Can ya help? Thx!
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Hello paulee,

Before you do anything
1. Update to the latest version of hijackthis. (v1.98.2)
2. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.qdbaclpoof.net/A9X2...MQL4hebGeoeS_EE1j.html
  • O2 - BHO: (no name) - {1B36742B-6065-F71B-C8F3-75AE7F372FD6} - C:\PROGRA~1\WAVEWM~1\roadbolt.exe
  • O4 - HKLM\..\Run: [bonecdrom] C:\PROGRA~1\REALGR~1\KeepBeep.exe
  • O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (NOT BAD, but is annoying
  • O4 - HKCU\..\Run: [inetwh32] C:\WINDOWS\system32\inetwh32.exe

Additional Steps

1. Clear your Temporary Files
2. Delete the following file:
[*]C:\WINDOWS\system32\inetwh32.exe
3. Restart into normal windows
 
R

Racer94

Member
May 27, 2000
157
0
0
here is my hijackthis log.

Logfile of HijackThis v1.98.2
Scan saved at 7:39:36 PM, on 09/25/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\TIMROD~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/s...ent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/s...t/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -


Thanks for any help.
Tim
Racer94
 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
hello Racer94

close all windows explorer and internet explorer windows and fix the following

[*]O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

 
R

Ravenseye

Junior Member
Sep 14, 2004
7
0
0
Hey all, any suggestions?
-Mike

Logfile of HijackThis v1.98.2
Scan saved at 8:58:05 PM, on 9/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msdrvs32.exe
C:\WINDOWS\System32\pstfco.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Aqua Dock\Aqua Dock.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spybot - Search &amp; Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Michael Lee\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Windows Compliant] pstfco.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\Run: [Windows Driver Services] msdrvs32.exe
O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe
O4 - HKLM\..\Run: [AudCtrl] RunDll32 AudCtrl.dll,RCMonitor
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [Aqua Dock] C:\Program Files\Aqua Dock\Aqua Dock.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunServices: [Windows Compliant] pstfco.exe
O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
O4 - HKLM\..\RunServices: [Windows Driver Services] msdrvs32.exe
O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe
O4 - HKLM\..\RunOnce: [Windows Driver Services] msdrvs32.exe
O4 - HKCU\..\Run: [Windows Compliant] pstfco.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &amp; Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
O4 - HKCU\..\Run: [Windows Driver Services] msdrvs32.exe
O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Windows Driver Services] msdrvs32.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1096160036418

 

Schadenfroh

Elite Member
Mar 8, 2003
38,416
4
0
Hello Ravenseye,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • O4 - HKLM\..\Run: [Windows Compliant] pstfco.exe
  • O4 - HKLM\..\Run: [Win32 Configuration] videosd32.exe
  • O4 - HKLM\..\Run: [Windows Driver Services] msdrvs32.exe
  • O4 - HKLM\..\Run: [Win32 USB2 Driver] syscfg32.exe
  • O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
  • O4 - HKLM\..\RunServices: [Windows Compliant] pstfco.exe
  • O4 - HKLM\..\RunServices: [Win32 Configuration] videosd32.exe
  • O4 - HKLM\..\RunServices: [Windows Driver Services] msdrvs32.exe
  • O4 - HKLM\..\RunServices: [Win32 USB2 Driver] syscfg32.exe
  • O4 - HKLM\..\RunOnce: [Windows Driver Services] msdrvs32.exe
  • O4 - HKCU\..\Run: [Windows Compliant] pstfco.exe
  • O4 - HKCU\..\Run: [Win32 Configuration] videosd32.exe
  • O4 - HKCU\..\Run: [Windows Driver Services] msdrvs32.exe
  • O4 - HKCU\..\Run: [Win32 USB2 Driver] syscfg32.exe
  • O4 - HKCU\..\RunOnce: [Windows Driver Services] msdrvs32.exe

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
[*]WOOTBOT Worm
[*]Signs exist of either (or both) of Sdbot Trojan or Kwbot Worm)[/b]
3.Restart into normal windows



Notes

  • 1. If USB stops working, restore the ones labled USB, but i have a fealing that those are not legit.
    2. Loads of worms there, could help be prevented by running windows update, you should consider SP2.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom
sale-70-410-exam    | Exam-200-125-pdf    | we-sale-70-410-exam    | hot-sale-70-410-exam    | Latest-exam-700-603-Dumps    | Dumps-98-363-exams-date    | Certs-200-125-date    | Dumps-300-075-exams-date    | hot-sale-book-C8010-726-book    | Hot-Sale-200-310-Exam    | Exam-Description-200-310-dumps?    | hot-sale-book-200-125-book    | Latest-Updated-300-209-Exam    | Dumps-210-260-exams-date    | Download-200-125-Exam-PDF    | Exam-Description-300-101-dumps    | Certs-300-101-date    | Hot-Sale-300-075-Exam    | Latest-exam-200-125-Dumps    | Exam-Description-200-125-dumps    | Latest-Updated-300-075-Exam    | hot-sale-book-210-260-book    | Dumps-200-901-exams-date    | Certs-200-901-date    | Latest-exam-1Z0-062-Dumps    | Hot-Sale-1Z0-062-Exam    | Certs-CSSLP-date    | 100%-Pass-70-383-Exams    | Latest-JN0-360-real-exam-questions    | 100%-Pass-4A0-100-Real-Exam-Questions    | Dumps-300-135-exams-date    | Passed-200-105-Tech-Exams    | Latest-Updated-200-310-Exam    | Download-300-070-Exam-PDF    | Hot-Sale-JN0-360-Exam    | 100%-Pass-JN0-360-Exams    | 100%-Pass-JN0-360-Real-Exam-Questions    | Dumps-JN0-360-exams-date    | Exam-Description-1Z0-876-dumps    | Latest-exam-1Z0-876-Dumps    | Dumps-HPE0-Y53-exams-date    | 2017-Latest-HPE0-Y53-Exam    | 100%-Pass-HPE0-Y53-Real-Exam-Questions    | Pass-4A0-100-Exam    | Latest-4A0-100-Questions    | Dumps-98-365-exams-date    | 2017-Latest-98-365-Exam    | 100%-Pass-VCS-254-Exams    | 2017-Latest-VCS-273-Exam    | Dumps-200-355-exams-date    | 2017-Latest-300-320-Exam    | Pass-300-101-Exam    | 100%-Pass-300-115-Exams    |
http://www.portvapes.co.uk/    | http://www.portvapes.co.uk/    |