Post by: Guest_Jim on September 29, 2004, 09:23:16 PM
Thanks in advance
Logfile of HijackThis v1.97.7
Scan saved at 10:23:40 PM, on 9/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\hphmon03.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\windows\dllhlp.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Program Files\GhostSurf\GhostSurf.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
G:\Downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\m?iexec.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {68FD677B-C63D-79B9-D056-64557CAB281B} - C:\WINDOWS\System32\ctv.dll
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PhilipsRemote] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab (http://\"http://www.apple.com/qtactivex/qtplugin.cab\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...94f3fdc891b75c6 (http://\"http://public.windupdates.com/get_file.php?bt=ie&p=6e1d88da1d51f77eb132c045609b1ae19eccee9501ea2f8c7ea680e2ea5f44e6b494207f4a6203b2fac449861db710ff31f38429d6f232227b2a5905c689:24515e734f677cac594f3fdc891b75c6\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/yinst/yinst_current.cab (http://\"http://download.yahoo.com/dl/yinst/yinst_current.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095000244281 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095000244281\")
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab (http://\"http://ftp.hp.com/pub/automatic/player/isetupML.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
Post by: guestolo on September 29, 2004, 10:05:48 PM
First download and save to desktop
CWShredder 1.59.1 (http://\"https://ssl.perfora.net/tools.radiosplace.com/CWShredder.exe\")
Don't run it yet
Next Download and Install Ad-Aware SE Personal 1.05 (http://\"http://download.com.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button\")
After installation Check For Updates
Don't run it yet, but update it now
Print this out if you have to, I need you to Start in Safe Mode and Remain offline
Set Windows to Show Hidden Files and Folders (http://\"http://www.xtra.co.nz/help/0,,4155-1916458,00.html\")
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
Access you Add/Remove Programs and Remove if Present
WEB REBATES
Windows SyncroAd
eXact advertising
Look for this file
C:\WINDOWS\system32\m?iexec.exe <==this file
Rename m?iexec.exe>>>>m?iexec.old
Enter your Task Manager (Hold down the CTRL+Shift keys and tap the ESC key)
End Process on this if still running
WinSync.exe
SyncroAd.exe
Find and delete these files or folders if they exist
c:\windows\dllhlp.exe <--this file
C:\Program Files\Windows SyncroAd <--this folder
C:\Program Files\Web_Rebates <--this folder
Do a DiskCleanup>>START----Run---type in cleanmgr
Ensure that Temp and Temporary Internet Files are checked
Stay in SAFE MODE
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {68FD677B-C63D-79B9-D056-64557CAB281B} - C:\WINDOWS\System32\ctv.dll
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows\dllhlp.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...94f3fdc891b75c6 (http://\"http://public.windupdates.com/get_file.php...94f3fdc891b75c6\")
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab9 (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab9\")
After you FIX CHECKED the above and close Hijackthis
Open up Just CWShredder and let it FIX all problems
RESTART back in Normal Mode
Don't open a browser yet, instead access Internet Options via Control
Panel
Under the Programs tab "Reset Web Settings"
Under the General tab== Reset home page
Open Ad-Aware, ensure you updated beforehand
Do a Full System Scan==Remove ALL Critical Objects
RESTART your computer to finish cleaning
Download the latest version of Hijackthis from HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to a Permanent folder
Do a Scan with that version and post a New log when your done the above
Post by: Guest_Jim on October 09, 2004, 09:18:04 PM
Jim
P.S. I notice alot of svchost.exe files running in task manager, one of which is using a lot memory. Any Ideas??
Logfile of HijackThis v1.98.2
Scan saved at 9:42:09 PM, on 10/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\hphmon03.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\GhostSurf\GhostSurf.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
G:\Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\System32\IETie.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\SZIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PhilipsRemote] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [mm_server] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_server.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\Program Files\GhostSurf\info.allow.html
O8 - Extra context menu item: Allow popups on this site - file://C:\Program Files\GhostSurf\popup.allow.html
O8 - Extra context menu item: Allow this advertisement - file://C:\Program Files\GhostSurf\menu.allowimg.html
O8 - Extra context menu item: Block personal info from this site - file://C:\Program Files\GhostSurf\info.block.html
O8 - Extra context menu item: Block popups on this site - file://C:\Program Files\GhostSurf\popup.block.html
O8 - Extra context menu item: Block this advertisement - file://C:\Program Files\GhostSurf\menu.blockimg.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\Program Files\VisualRoute\vrie.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center - {578FC4E3-151E-456c-AF8E-B63061EFE228} - C:\Program Files\GhostSurf\LaunchPCC.exe
O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095000244281 (http://\"http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095000244281\")
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab (http://\"http://ftp.hp.com/pub/automatic/player/isetupML.cab\")
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll\")
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_In...ller/dwnldr.cab (http://\"https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab\")
Post by: guestolo on October 09, 2004, 09:44:43 PM
I can see that your running 2 anti-viruses on startup
Having more than 1 on startup can cause system slowdowns and conflicts
I'm not familiar with the program called Cacheman.... Does this need to run on startup?
You should download this little utility to disable some startup Items
Starter 5.6.1.38 (http://\"http://freedownloadswindows.com/65276/starter_56138.html\")
It's a small download, this will help you in controlling some startup entries
Track down what you need on startup
Use these links
http://www.answersthatwork.com/Tasklist_pa...es/tasklist.htm (http://\"http://www.answersthatwork.com/Tasklist_pages/tasklist.htm\")
http://www.windowsstartup.com/wso/search.php (http://\"http://www.windowsstartup.com/wso/search.php\")
Stuff like Sysdoc32.exe and OSA9.exe are just resource hogs that don't need to be running at startup....
Post back and let me know how you made out
Post by: dandrew on November 18, 2004, 07:23:17 AM
I tried everything in your suggestions to get rid of this asshole of a hijacker "your searcher" and still can't get it out of my system. I used Hijack This, Ad-aware, CWSInstall, Spybot S&D, and still nothing works. Worked on it off-line and on-line still nothing. Blasted Bug!!! Need help please.
Post by: dandrew on November 18, 2004, 07:34:01 AM
gfile of HijackThis v1.97.7
Scan saved at 8:40:11 PM, on 11/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\JCAMHXR.EXE
C:\WINDOWS\TWAIN_32\A4CIS\WATCH.EXE
C:\MSCAN\MSOFFICE\PANEL.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.skyinet.net :3128
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~2\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O7 "EPUSB1:" /M "Stylus C43"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [didkxfv] c:\windows\wppmbek.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4CIS\WATCH.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB (http://\"http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB\")
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab (http://\"http://download.yahoo.com/dl/installs/yinst0309.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21fcdeb487482a...ip/RdxIE601.cab (http://\"http://software-dl.real.com/21fcdeb487482a85d905/netzip/RdxIE601.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8297.6700462963 (http://\"http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38297.6700462963\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.78.97.2,202.78.97.3
O19 - User stylesheet: (file missing)
THANK YOU!
Post by: guestolo on November 18, 2004, 07:50:18 PM
Can you set windows to show hidden files and folders
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.
Next: go to this site, give it time to load if it's busy
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
It's an online Malware scan
Use the Browse button at the top and Navigate to these 2 files, one at a time, if you can find them
C:\WINDOWS\JCAMHXR.EXE <--file
c:\windows\wppmbek.exe <--file
Right click on the files and choose Select and then use the Submit button
Wait for the scan and copy and paste back here the information on the 2 files
After you have done that
I need you to update your version of Hijackthis to version 1.98.2
Open Hijackthis>>Config>>Misc Tools>>Check for updates Online
If for some reason it won't update, please download the newest version from
HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to your C:\MY DOCUMENTS folder,
Allow it to overwrite the old version, you actually may want to put Hijackthis in it's own folder
Eg.... Right click in My Documents, left click NEW>>FOLDER
Name the new folder HJT
Post back a fresh log from that version, let's make sure we're seeing everything
We'll clean up this Parasite for you
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: dandrew on November 20, 2004, 10:30:50 AM
here are the two file info from the Scan of Malware:
Service load: 0% 100%
File: jcamhxr.exe
Status: INFECTED/MALWARE
Packers detected: UPX
AntiVir TR/StartPage.QP (0.14 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.79 seconds taken)
ClamAV Trojan.Startpage-141 (0.33 seconds taken)
Dr.Web No viruses found (0.48 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.StartPage.qp (0.60 seconds taken)
mks_vir No viruses found (0.23 seconds taken)
NOD32 No viruses found (0.40 seconds taken)
Norman Virus Control No viruses found (0.29 seconds taken)
Statistics
Last piece of malware found was I-Worm.Bagle.at in 00000008, detected by:Scanner Malware name Time taken
AntiVir X 0.16 seconds
Avast X 1.51 seconds
BitDefender X 0.34 seconds
ClamAV X 0.31 seconds
Dr.Web X 0.48 seconds
F-Prot Antivirus X 0.06 seconds
Kaspersky Anti-Virus I-Worm.Bagle.at 0.58 seconds
mks_vir X 0.19 seconds
NOD32 X 0.35 seconds
Norman Virus Control X 0.12 seconds
Service statistics:7274 files (5410 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge. 1610 of those 5410 files contained a virus or any other form of malware. This page has been visited 16463 times in this time period. This service managed to spot 104 pieces of malware no vendor used knew about at the time of uploading. The service also warned against 719 suspicious files without any help from scanner results. However, 71 files reported to be OK were found out to be malware later (this is checked daily). As far as can be told, all this together makes this service 98.69% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:Rank Malware name Uploaded Last known filename
1 backdoor.sdbot.gen 142 times My Password Protection.exe
2 behaveslike:trojan.downloader 115 times bla.exe
3 backdoor.agobot.3.gen 66 times agobot3.exe
4 tr/drop.delf.fd.1 59 times Keygen.exe
5 tr/spam.avafx 48 times vbsys.dll
6 tr/dldr.small.uv.3 33 times s1p1y.exe
7 win32:trojan-gen. {other} 28 times notepad.exe
8 backdoor.win32.agobot.gen 26 times agobot3.exe
9 backdoor.wootbot.gen 24 times Kopie van 1.exe.exe
10 trojan.downloader.inservice.i 23 times assassin-254.exe
11 win32:trojan-gen. 20 times PWSteal.Trojan.exe
12 win32.hllw.mybot.based 19 times test1.exe
13 tr/dldr.inservice.i 19 times assassin-254.exe
14 win32.p2p.spybot.gen 19 times Spools.exe
15 win32.hllw.forbot.based 17 times winzipsys.exe
=======================================
Service load: 0% 100%
File: wppmbek.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
Packers detected: UPX
AntiVir TR/StartPage.QP (0.14 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.78 seconds taken)
ClamAV Trojan.Startpage-141 (0.33 seconds taken)
Dr.Web No viruses found (0.48 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Trojan.Win32.StartPage.qp (0.60 seconds taken)
mks_vir No viruses found (0.23 seconds taken)
NOD32 No viruses found (0.40 seconds taken)
Norman Virus Control No viruses found (0.29 seconds taken)
Statistics
Last piece of malware found was Trojan.Win32.StartPage.qp in jcamhxr.exe, detected by:Scanner Malware name Time taken
AntiVir TR/StartPage.QP 0.14 seconds
Avast X 1.51 seconds
BitDefender X 0.79 seconds
ClamAV Trojan.Startpage-141 0.33 seconds
Dr.Web X 0.48 seconds
F-Prot Antivirus X 0.06 seconds
Kaspersky Anti-Virus Trojan.Win32.StartPage.qp 0.60 seconds
mks_vir X 0.23 seconds
NOD32 X 0.40 seconds
Norman Virus Control X 0.29 seconds
Service statistics:7275 files (5411 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge. 1611 of those 5411 files contained a virus or any other form of malware. This page has been visited 16464 times in this time period. This service managed to spot 104 pieces of malware no vendor used knew about at the time of uploading. The service also warned against 719 suspicious files without any help from scanner results. However, 71 files reported to be OK were found out to be malware later (this is checked daily). As far as can be told, all this together makes this service 98.69% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:Rank Malware name Uploaded Last known filename
1 backdoor.sdbot.gen 142 times My Password Protection.exe
2 behaveslike:trojan.downloader 115 times bla.exe
3 backdoor.agobot.3.gen 66 times agobot3.exe
4 tr/drop.delf.fd.1 59 times Keygen.exe
5 tr/spam.avafx 48 times vbsys.dll
6 tr/dldr.small.uv.3 33 times s1p1y.exe
7 win32:trojan-gen. {other} 28 times notepad.exe
8 backdoor.win32.agobot.gen 26 times agobot3.exe
9 backdoor.wootbot.gen 24 times Kopie van 1.exe.exe
10 trojan.downloader.inservice.i 23 times assassin-254.exe
11 win32:trojan-gen. 20 times PWSteal.Trojan.exe
12 win32.hllw.mybot.based 19 times test1.exe
13 tr/dldr.inservice.i 19 times assassin-254.exe
14 win32.p2p.spybot.gen 19 times Spools.exe
15 win32.hllw.forbot.based 17 times winzipsys.exe
I'm continuing the other instructions now. thanks again!
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> dandrew
Post by: Guest on November 20, 2004, 10:36:26 AM
Here's the log from the new version with out removing the your-searcher:
Logfile of HijackThis v1.98.2
Scan saved at 11:44:21 PM, on 11/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\UQVNJPU.EXE
C:\WINDOWS\TWAIN_32\A4CIS\WATCH.EXE
C:\MSCAN\MSOFFICE\PANEL.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm (http://\"http://your-searcher.com/sp.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm (http://\"http://your-searcher.com/index.htm\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.skyinet.net :3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~2\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O7 "EPUSB1:" /M "Stylus C43"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [qlfplwh] c:\windows\kryddmy.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4CIS\WATCH.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21fcdeb487482a...ip/RdxIE601.cab (http://\"http://software-dl.real.com/21fcdeb487482a85d905/netzip/RdxIE601.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.78.97.2,202.78.97.3
O19 - User stylesheet: (file missing)
dandrew
Post by: dandrew on November 20, 2004, 10:39:07 AM
Logfile of HijackThis v1.98.2
Scan saved at 11:47:12 PM, on 11/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\UQVNJPU.EXE
C:\WINDOWS\TWAIN_32\A4CIS\WATCH.EXE
C:\MSCAN\MSOFFICE\PANEL.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.skyinet.net :3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~2\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C43 Series" /O7 "EPUSB1:" /M "Stylus C43"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - HKCU\..\Run: [qlfplwh] c:\windows\kryddmy.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\A4CIS\WATCH.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21fcdeb487482a...ip/RdxIE601.cab (http://\"http://software-dl.real.com/21fcdeb487482a85d905/netzip/RdxIE601.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200411...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20041101/qtinstall.info.apple.com/pthalo/us/win/QuickTimeInstaller.exe\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.78.97.2,202.78.97.3
O19 - User stylesheet: (file missing)
dandrew
Post by: guestolo on November 20, 2004, 12:17:54 PM
Open Hijackthis>>Config>>Misc Tools>>Open Process Manager
Kill this process
C:\WINDOWS\UQVNJPU.EXE
Next: Still in Hijackthis>>Config>>Misc Tools>>Delete File on Reboot
In the File Name field copy and paste the bolded text below too.
C:\WINDOWS\UQVNJPU.EXE
Click OPEN
You will be alerted that the file will be deleted and you must Restart your computer
DON'T choose to restart yet
Instead do the same procedure for this file
c:\windows\kryddmy.exe
Don't Restart your computer again
Instead, Do another scan with hijackthis and put a check next to these entries
O4 - HKCU\..\Run: [qlfplwh] c:\windows\kryddmy.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21fcdeb487482a...ip/RdxIE601.cab (http://\"http://software-dl.real.com/21fcdeb487482a...ip/RdxIE601.cab\")
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://\"http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab\")
O19 - User stylesheet: (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES to the prompt and exit Hijackthis
RESTART your computer
Once back in Windows, don't open a browser yet
instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
Do a Disk Cleanup>>Start--Run--type in cleanmgr and hit Enter
Post back with a Fresh hijackthis log and let me know if you have any problems
Before you post back, I noticed that your running AVG 6, possibly the free version?
The free version of AVG has been updated to to AVG7
You may want to install this version..
They say you can upgrade, I prefer to do a clean install.
Here's what I do, enter your Virus vault and delete any files that were previously sent their with AVG6--If any
Download the newest version of AVG7
Here's a link:
http://free.grisoft.com/freeweb.php/doc/1/ (http://\"http://free.grisoft.com/freeweb.php/doc/1/\")
Save the installer to desktop
Disconnect from the Internet: Right click the AVG icon by the system clock and stop AVG from running
Access your Task Manager(Ctrl+Alt+Del) and End task on these entries
AVGSERV9.EXE
AVGCC32.EXE
You can also shut them down with Hijackthis' Process manager
After their shut down Access your Add/Remove Programs and uninstall AVG6
Restart your computer
Find and delete the default Install folder, probably located here
C:\Program Files\Grisoft <--this folder
Next: Install AVG 7 and Check for updates and run a full system scan.....