Post by: dlo8 on January 15, 2005, 11:01:53 PM
can anyone help me?
Logfile of HijackThis v1.99.0
Scan saved at 3:06:35 AM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\documents and settings\fish\local settings\temp\UdoLX8.exe
C:\documents and settings\fish\local settings\temp\eNVzIb.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\documents and settings\fish\local settings\temp\E1K9H.exe
C:\documents and settings\fish\local settings\temp\l.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\documents and settings\fish\local settings\temp\UZinV1.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Fish\Local Settings\Temp\nWgm6.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UdoLX8] C:\documents and settings\fish\local settings\temp\UdoLX8.exe
O4 - HKLM\..\Run: [eNVzIb] C:\documents and settings\fish\local settings\temp\eNVzIb.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [E1K9H] C:\documents and settings\fish\local settings\temp\E1K9H.exe
O4 - HKLM\..\Run: [l] C:\documents and settings\fish\local settings\temp\l.exe
O4 - HKLM\..\Run: [UZinV1] C:\documents and settings\fish\local settings\temp\UZinV1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Pboqopy] C:\WINDOWS\system32\?|íchost.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clie...nts/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/Web...ploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSCo...ol_v1-0-3-0.cab (http://\"http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Post by: guestolo on January 15, 2005, 11:10:32 PM
Don't run it yet, I'm just checking
Did you download and install and update SpywareBlaster from that post?
Do it now if you haven't
Let me know the above info so I know which way to get you clean
SpywareBlaster just helps to prevent this kind of stuff
Here's a link to that post
http://www.thetechguide.com/forum/index.ph...topic=12083&hl= (http://\"http://www.thetechguide.com/forum/index.php?showtopic=12083&hl=\")
Post by: guestolo on January 15, 2005, 11:12:18 PM
You also mentioned you have Ad-Aware
Can you open it up and click on DETAILS
Let me know Reference No. and Internal Build
Post by: dlo8 on January 15, 2005, 11:56:39 PM
now i am try to clean up another computer of mine (my girlfriend's)
yes.. i do have spyware blaster installed
and of course.. i also have spybot.. 1.3.1
by the way.. thax for the prior post.. now i think my comp is runnin fine
and here is the spybot log for the second computer! (HJT log is the second computer not the first)
--- Search result list ---
ISearchTech.PowerScan: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\BandRest
Altnet: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
Altnet: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\ADM25.ADM25
Altnet: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\ADM4.ADM4
WildMedia: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}
WildMedia: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\SearchHelp
WildMedia: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}
--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---
2004-05-12 blindman.exe (1.0.0.0)
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-10-04 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-11-29 Includes\Cookies.sbi
2005-01-04 Includes\Dialer.sbi
2005-01-04 Includes\Hijackers.sbi
2004-12-29 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-01-04 Includes\Malware.sbi
2004-08-11 Includes\plugin-ignore.ini
2003-11-12 Includes\QA Tests.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-05 Includes\Spybots.sbi
2003-11-21 Includes\Temporary.sbi
2004-11-29 Includes\Tracks.uti
2005-01-04 Includes\Trojans.sbi
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB890175
--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 66680
MD5: 371d2fa0dfeb9767b3cc7cae1ab21a5a
Located: HK_LM:Run, DwlClient
command: C:\Program Files\Common Files\Dell\EUSW\Support.exe
file: C:\Program Files\Common Files\Dell\EUSW\Support.exe
size: 245760
MD5: 58cd30203ddb67fad6a34aa624fa0141
Located: HK_LM:Run, E1K9H
command: C:\documents and settings\fish\local settings\temp\E1K9H.exe
file: C:\documents and settings\fish\local settings\temp\E1K9H.exe
size: 200770
MD5: 6b829bd4a420ba00794fe6f87cbfcd03
Located: HK_LM:Run, eNVzIb
command: C:\documents and settings\fish\local settings\temp\eNVzIb.exe
file: C:\documents and settings\fish\local settings\temp\eNVzIb.exe
size: 200908
MD5: cf1b6119a8d213702dbc6d754b85e81b
Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\System32\hkcmd.exe
file: C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: 3a9978c5caec77771ff28eb7a3889639
Located: HK_LM:Run, hwlrwL
command: C:\windows\system32\hwlrwL.exe
file: C:\windows\system32\hwlrwL.exe
size: 233620
MD5: 837aff6886e55e5384e390bcaa6d0f9e
Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\System32\igfxtray.exe
file: C:\WINDOWS\System32\igfxtray.exe
size: 155648
MD5: 735486208c3a359cab624526e4467257
Located: HK_LM:Run, IMJPMIG8.1
command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
size: 208952
MD5: 7bbe4cf421aecc7f0226edd75f12079f
Located: HK_LM:Run, l
command: C:\documents and settings\fish\local settings\temp\l.exe
file: C:\documents and settings\fish\local settings\temp\l.exe
size: 172094
MD5: 1a0c22d0ef0785aed1030af41be32d83
Located: HK_LM:Run, MessengerPlus3
command: "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
file: C:\Program Files\Messenger Plus! 3\MsgPlus.exe
size: 169096
MD5: c39294d45e86155690266d05b2da6d77
Located: HK_LM:Run, mmtask
command: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
size: 53248
MD5: 6631470725d1c58a2b9c3ce1ce1929f9
Located: HK_LM:Run, MSPY2002
command: C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
file: C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
size: 59392
MD5: 1b17e09c1223f6d17336d2dd7a1af4f4
Located: HK_LM:Run, MyPointsPointAlert0
command: "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
file: C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
size: 98304
MD5: a8e8e8d3507939c7b0626c67340f82ba
Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6
Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6
Located: HK_LM:Run, RVRgiIbY.exe
command: c:\windows\system32\RVRgiIbY.exe
file: c:\windows\system32\RVRgiIbY.exe
size: 176362
MD5: bb6b2e25a5506ea2a92ad583a5cf3313
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 3cf6bff887af6f733473d81a8921a5c5
Located: HK_LM:Run, UdoLX8
command: C:\documents and settings\fish\local settings\temp\UdoLX8.exe
file: C:\documents and settings\fish\local settings\temp\UdoLX8.exe
size: 233656
MD5: bf22b6762024ca12fee0eab52f43f3fa
Located: HK_LM:Run, UZinV1
command: C:\documents and settings\fish\local settings\temp\UZinV1.exe
file: C:\documents and settings\fish\local settings\temp\UZinV1.exe
size: 172146
MD5: 22a337dd85a7857258e203841863d24a
Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTray.exe
file: C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124128
MD5: 5972a3384ebceaeb99f4216e77ebed59
Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8
Located: HK_CU:Run, MessengerPlus3
command: "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
file: C:\Program Files\Messenger Plus! 3\MsgPlus.exe
size: 169096
MD5: c39294d45e86155690266d05b2da6d77
Located: HK_CU:Run, msnmsgr
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 4849664
MD5: 9c588e9844ba27135f0c4147d1b38c07
Located: HK_CU:Run, STYLEXP
command: C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
Located: Startup (user), AntiCrash.lnk
command: C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
file: C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
size: 2301798
MD5: d650e0bb24c1c4d796fd2e88e8fdfeff
Located: Startup (user), Hare.lnk
command: C:\Program Files\Dachshund Software\Hare\Hare.exe
file: C:\Program Files\Dachshund Software\Hare\Hare.exe
size: 1874381
MD5: a4df641cda8a91a844b1f069ca2daf4c
Located: Startup (user), Zoom.lnk
command: C:\Program Files\Dachshund Software\Zoom\Zoom.exe
file: C:\Program Files\Dachshund Software\Zoom\Zoom.exe
size: 1446302
MD5: 46852612f2d80b11517055eb208a2f15
Located: WinLogon, crypt32chain
command: crypt32.dll
Located: WinLogon, cryptnet
command: cryptnet.dll
Located: WinLogon, cscdll
command: cscdll.dll
Located: WinLogon, igfxcui
command: igfxsrvc.dll
Located: WinLogon, NavLogon
command: C:\WINDOWS\system32\NavLogon.dll
file: C:\WINDOWS\system32\NavLogon.dll
size: 83176
MD5: 55dc54c87fa324a4cd32b3b407307671
Located: WinLogon, ScCertProp
command: wlnotify.dll
Located: WinLogon, Schedule
command: wlnotify.dll
Located: WinLogon, sclgntfy
command: sclgntfy.dll
Located: WinLogon, SensLogn
command: WlNotify.dll
Located: WinLogon, termsrv
command: wlnotify.dll
Located: WinLogon, wlballoon
command: wlnotify.dll
--- Browser helper object list ---
{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} (Search Help)
BHO name: Search Help
CLSID name: CSearchHelpIEExtension Object
Path: C:\Documents and Settings\Fish\Local Settings\Temp\
Long name: 36UFp.dll
Short name:
Date (created): 1/14/2005 1:32:14 PM
Date (last access): 1/15/2005 8:50:58 PM
Date (last write): 1/14/2005 1:37:16 PM
Filesize: 119057
Attributes: archive
MD5: 2FFB83A22D7DBC19A1039E84DF51FD59
CRC32: 8E321627
Version: 0.1.0.0
--- ActiveX list ---
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:
Yahoo! Spades (Yahoo! Spades)
DPF name: Yahoo! Spades
CLSID name:
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 3:10:30 AM
Date (last access): 1/15/2005 9:48:28 PM
Date (last write): 8/27/2003 3:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 0.11.0.0
{4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class)
DPF name:
CLSID name: EPUImageControl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: EPUWalcontrol.dll
Short name: EPUWAL~1.DLL
Date (created): 5/15/2004 2:14:18 PM
Date (last access): 1/15/2005 9:47:10 PM
Date (last write): 5/15/2004 2:14:18 PM
Filesize: 884736
Attributes: archive
MD5: ACBDA0F01F0A678AB5E6CC9080708C7D
CRC32: B21B099F
Version: 0.1.0.0
{D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class)
DPF name:
CLSID name: Uploader Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: WebUploadClient.dll
Short name: WEBUPL~1.DLL
Date (created): 10/25/2004 11:19:30 AM
Date (last access): 1/15/2005 9:47:10 PM
Date (last write): 10/25/2004 11:19:30 AM
Filesize: 3612672
Attributes: archive
MD5: 09A8259560E8342F8FB095399D3442F6
CRC32: 4A52C06A
Version: 0.2.0.0
{E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class)
DPF name:
CLSID name: EPSImageControl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: EPScontrol.dll
Short name: EPSCON~1.DLL
Date (created): 1/12/2004 9:49:20 AM
Date (last access): 1/15/2005 9:47:10 PM
Date (last write): 1/12/2004 9:49:20 AM
Filesize: 885248
Attributes: archive
MD5: C69F7705F630B2204DBF13B1F30804AE
CRC32: 15BAE482
Version: 0.1.0.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 124 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 160 ( 364) C:\documents and settings\fish\local settings\temp\E1K9H.exe
PID: 240 ( 364) C:\documents and settings\fish\local settings\temp\l.exe
PID: 312 ( 364) C:\documents and settings\fish\local settings\temp\UZinV1.exe
PID: 348 ( 364) C:\windows\system32\hwlrwL.exe
PID: 364 ( 328) C:\WINDOWS\Explorer.EXE
PID: 432 ( 700) C:\WINDOWS\system32\cisvc.exe
PID: 444 ( 700) C:\Program Files\Symantec AntiVirus\DefWatch.exe
PID: 460 ( 700) C:\Program Files\Executive Software\Diskeeper\DkService.exe
PID: 524 ( 700) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 584 ( 4) \SystemRoot\System32\smss.exe
PID: 608 ( 700) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PID: 632 ( 584) csrss.exe
PID: 656 ( 584) \??\C:\WINDOWS\system32\winlogon.exe
PID: 700 ( 656) C:\WINDOWS\system32\services.exe
PID: 712 ( 656) C:\WINDOWS\system32\lsass.exe
PID: 716 ( 364) C:\windows\system32\RVRgiIbY.exe
PID: 868 ( 700) C:\WINDOWS\system32\svchost.exe
PID: 912 ( 904) C:\WINDOWS\SYSTEM32\RVRgiIbY.exe
PID: 952 ( 700) svchost.exe
PID: 1048 ( 364) C:\Program Files\Internet Explorer\iexplore.exe
PID: 1064 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 1092 ( 700) C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
PID: 1176 ( 700) svchost.exe
PID: 1248 ( 964) C:\Program Files\MSN Messenger\msnmsgr.exe
PID: 1264 ( 364) C:\WINDOWS\system32\ctfmon.exe
PID: 1296 ( 364) C:\WINDOWS\System32\hkcmd.exe
PID: 1316 ( 700) svchost.exe
PID: 1388 ( 700) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1420 ( 364) C:\Program Files\Common Files\Dell\EUSW\Support.exe
PID: 1424 ( 700) wdfmgr.exe
PID: 1448 ( 700) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1612 ( 364) C:\Program Files\Messenger Plus! 3\MsgPlus.exe
PID: 1648 ( 364) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 1656 ( 364) C:\PROGRA~1\SYMANT~1\VPTray.exe
PID: 1700 ( 364) C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
PID: 1720 ( 364) C:\documents and settings\fish\local settings\temp\UdoLX8.exe
PID: 1728 ( 364) C:\documents and settings\fish\local settings\temp\eNVzIb.exe
PID: 2024 ( 700) C:\WINDOWS\system32\spoolsv.exe
PID: 2096 (1676) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 2296 (1668) C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
PID: 2308 ( 364) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 2348 (2296) C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
PID: 2460 ( 700) alg.exe
PID: 2664 (1584) C:\WINDOWS\Integrator.exe
PID: 3064 ( 432) C:\WINDOWS\system32\cidaemon.exe
PID: 3192 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 3956 ( 364) C:\Program Files\Windows Media Player\wmplayer.exe
Spybot - Search && Destroy process list report, 1/15/2005 9:50:39 PM
--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/15/2005 9:50:39 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://home.microsoft.com/access/allinone.asp (http://\"http://home.microsoft.com/access/allinone.asp\")
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://home.microsoft.com/search/lobby/search.asp (http://\"http://home.microsoft.com/search/lobby/search.asp\")
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.dellnet.com (http://\"http://www.dellnet.com\")
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s (http://\"http://home.microsoft.com/access/autosearch.asp?p=%s\")
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.dellnet.com (http://\"http://www.dellnet.com\")
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome\")
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...=ie&ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchasst.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm\")
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchcust.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm\")
--- Winsock Layered Service Provider list ---
mostly the most annoyin one is that i can't remove "CSearchHelpIEExtension Object" that i found with ToolBar Cop.. cause i would remove it but then next time i restart.. it would restart also and mess up my internet explorer..
and sometimes when i load a page on this computer it takes me to some ad234.com.. something like that..
hope this helps!
Post by: dlo8 on January 15, 2005, 11:57:53 PM
Post by: guestolo on January 16, 2005, 12:44:57 AM
Quote
and do u think i can safely delete all my \Local Settings\Temp folder's filesYup
Here's what I would do dlo8
First off
Download and Install this small program
to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install it for now but Don't run a scan yet
A great little utility to assist in cleaning those temp folders
You'll be surprised what a person can miss
After that is done
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
Access the Add/remove Programs and remove if found
MidAdle
You may also want to remove
MyPoints
Find and delete these files or folders if they exist
C:\Program Files\MyPoints_PointAlert <--folder
Again in safe mode
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Fish\Local Settings\Temp\nWgm6.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe" <--fix this line even if you decide not to remove it, it's not needed on startup
O4 - HKLM\..\Run: [UdoLX8] C:\documents and settings\fish\local settings\temp\UdoLX8.exe
O4 - HKLM\..\Run: [eNVzIb] C:\documents and settings\fish\local settings\temp\eNVzIb.exe
O4 - HKLM\..\Run: [E1K9H] C:\documents and settings\fish\local settings\temp\E1K9H.exe
O4 - HKLM\..\Run: [l] C:\documents and settings\fish\local settings\temp\l.exe
O4 - HKLM\..\Run: [UZinV1] C:\documents and settings\fish\local settings\temp\UZinV1.exe
O4 - HKCU\..\Run: [Pboqopy] C:\WINDOWS\system32\?|íchost.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
If you uninstalled Toolbarcop
Fix the next ones too
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
In safe mode, open Windows CleanUp! and click the Cleanup button
Let it finish scanning for files, when it's done it will prompt you to log off
Simply Restart back to Normal Mode
NOTE: If you choose not to Install Cleanup you will have to manually delete All the temp folders contents, Cleanup makes this real easy
When Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to finish the cleaning process
Post back with a Fresh Hijackthis log afterwards
Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Change the Save as type as All files
Name the file as find.bat
Save it on the desktop
Quote
dir C:\WINDOWS\System32\?|íchost.exe /a h > files.txt
notepad files.txt
Double click on find.bat
It will generate a txt file called files.txt
Post back the findings
If it was blank I don't need to see the output
But search in your System32 folder for a file close to the name
?|íchost.exe
You won't be able to see the ? mark, but look for something similiar
It may not exist
If it does
Right click on it and left click properties
Let me know file size and date created
svchost.exe is legitimate
Can you go to this site please
Give the link time to load
http://virusscan.jotti.dhs.org/ (http://\"http://virusscan.jotti.dhs.org/\")
Use the Browse button at the top of that links page and navigate to this file
c:\windows\system32\RVRgiIbY.exe <--this file, notice the spelling
Right click on it and Select it
Use the Submit button on the site
Wait for the scan results and post them back here
Do the same for this file
C:\windows\system32\hwlrwL.exe
By the way, thanks for the Spybot log
I only need to see a fresh hijackthis log afterwards and the info from that Online Malware scan about those two files
and the files.txt log from find.bat
Post by: Guest on January 19, 2005, 07:53:45 PM
Service load: 0% 100%
File: hwlrwL.exe
Status: INFECTED/MALWARE
Packers detected: None
AntiVir TR/Dldr.BlaBlockz.1 (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.34 seconds taken)
ClamAV No viruses found (0.46 seconds taken)
Dr.Web Trojan.StatBlasterAd (0.53 seconds taken)
F-Prot Antivirus No viruses found (0.08 seconds taken)
Kaspersky Anti-Virus No viruses found (0.66 seconds taken)
mks_vir No viruses found (0.22 seconds taken)
NOD32 No viruses found (0.40 seconds taken)
Norman Virus Control No viruses found (1.05 seconds taken)
(so how can i clean it now?)
c:\windows\system32\RVRgiIbY.exe
i couldn't find the file... so i do a system scan for that file and i got "C:\WINDOWS\Prefetch\RVRGIIBY.EXE-0251740E.pf) but no actual exe file.. so what should i do now?
file.txt returns nothin
Logfile of HijackThis v1.99.0
Scan saved at 5:49:42 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\windows\system32\RVRgiIbY.exe
C:\windows\system32\hwlrwL.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\RVRgiIbY.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SYSTEM32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RVRgiIbY.exe] c:\windows\system32\RVRgiIbY.exe
O4 - HKLM\..\Run: [hwlrwL] C:\windows\system32\hwlrwL.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clie...nts/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/Web...ploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSCo...ol_v1-0-3-0.cab (http://\"http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
that's all for now.. see what you got!
Post by: guestolo on January 19, 2005, 08:30:29 PM
Open the Process Manager and kill these processes if still running
C:\windows\system32\RVRgiIbY.exe
C:\windows\system32\hwlrwL.exe
C:\WINDOWS\SYSTEM32\RVRgiIbY.exe <--both occurances
NEXT: Back in Hijackthis' Misc Tools section
Click the Delete file on Reboot button
Copy and paste the whole Path of file to delete in bold into the File Name field
C:\windows\system32\hwlrwL.exe
Click the Open button, Hijackthis may prompt you that you need to Restart your computer
DON'T at this time
Instead use Delete file on Reboot for this full path of the file name too
C:\windows\system32\RVRgiIbY.exe
Again, Don't allow to Restart yet
Instead
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [RVRgiIbY.exe] c:\windows\system32\RVRgiIbY.exe
O4 - HKLM\..\Run: [hwlrwL] C:\windows\system32\hwlrwL.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
This file is in your Prefetch folder
RVRGIIBY.EXE-0251740E.pf
Windows CleanUp! should take care of it for you
Again, open CleanUp and click the Cleanup button
Allow it to scan for files, when it's done and it prompts you to log off, Don't
Instead
RESTART your Computer
Post back with a fresh hijackthis log
Are you choosing to hold onto MyPoints_PointAlert?
Also make sure that these files are gone
C:\WINDOWS\Prefetch\RVRGIIBY.EXE
C:\windows\system32\RVRgiIbY.exe
C:\windows\system32\hwlrwL.exe
Make sure you are showing hidden files and folders
Post by: Guest on January 19, 2005, 10:32:28 PM
after all..... i remove mypoint....
Logfile of HijackThis v1.99.0
Scan saved at 8:29:59 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clie...nts/y/st2_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/st2_x.cab\")
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab (http://\"http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab\")
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/Web...ploadClient.cab (http://\"http://photo.walmart.com/photo/uploads/WebUploadClient.cab\")
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSCo...ol_v1-0-3-0.cab (http://\"http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab\")
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
hope this is clean now! please check carefully!
Post by: guestolo on January 20, 2005, 12:05:39 AM
If everything is running smooth now you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
Here's a link, just in case your unsure how to
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Before you Restart the computer
Do another scan with Hijackthis and put a check next to these entries:
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Restart your computer
Remember to re-enable system restore when your back in Windows
Find and delete this folder if it exists
C:\Program Files\MyPoints_PointAlert <--folder
You should set up extra protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!
Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Post by: Guest on January 20, 2005, 10:20:36 PM
thanx bud!
Post by: guestolo on January 20, 2005, 10:26:39 PM
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />