Post by: liptonite on March 03, 2005, 09:25:21 AM
2cd- Errror message that says-Error hooking"connect" data then has a bunch of numbers and letters after it.Sometimes my whole screen has this message multiple times and the whole screen is covered with like a 100 error messages.
I have mcafee from Email RemovedI have ad-aware and spybot and spysubtractor. mcafee found 22 new viruses(mostly downloaders and exploits)since yesterdays scan.
I spend all my time running scans and clicking off popups...can't enjoy computer.Was up all night trying to get help.Somebody please feel for me.LOl
by the way I know next to nothing about computers
Post by: guestolo on March 03, 2005, 05:42:02 PM
A small utility to help identify if any Hijackers, Malware, Spyware, etc.....Reside on your computer
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Do a SCAN and Save a Log file---Save the log----copy and paste the WHOLE contents of the log here... Don't try and fix anything yet----It is all important
Post by: liptonite on March 04, 2005, 01:42:50 AM
Scan saved at 1:38:22 AM, on 3/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\e0j8pw6k\e0j8pw6k.exe
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system\pijqcwsovj.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\e0j8pw6k\e0j8pw6k1\e0j8pw6k1.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\iestopen.exe
C:\WINDOWS\System32\iedctfrm.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com (http://\"http://www.daosearch.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {161DA101-8123-45C1-AAE4-7ADEB01E15D4} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {1DACC2C2-4FEE-4338-84B4-54AA14887325} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: SDWin32 Class - {2130EEE8-BAC6-4368-B896-9366D4EFFE50} - C:\WINDOWS\System32\evefz.dll
O2 - BHO: (no name) - {214B8E3A-5723-45F0-87D1-B5C8B3EB6270} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {5E628A36-6418-42F7-89CA-4D78ED339511} - C:\WINDOWS\System32\gbofd.dll
O2 - BHO: (no name) - {61D42E9C-C45B-4D18-9B21-C66703369E49} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FA09E69-83C1-431C-A62A-3A40832FE237} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FFD7092-A7A9-469F-9AE8-6DE9776526BF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {70A2742F-C332-40F8-84B5-3B99B8095F59} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {9F0C8B3A-89F7-4502-BDFF-1C2698DF0260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {BC990AC2-6D29-4CF2-970E-F1191D9E9591} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CBAB2061-0040-481F-AAAA-A49BA9B8004C} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CCAB71F2-5F14-4668-A099-71A86EDAC5A5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D5017D4A-9852-4378-9441-57A08809AF69} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D65D83BA-A249-43CD-8570-6EA57D56C312} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ECBBFD71-AED6-45F6-8A7B-EB7132C3EFE5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F16A5A17-15EE-4C70-B1A0-B36939AB4EFE} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {F1AADC4F-D3C9-44C4-A3C4-FD3350D08706} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {FB28486E-4CEB-4641-BE8B-B490946D158D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [crulfxn] c:\windows\system32\crulfxn.exe
O4 - HKLM\..\Run: [evefzc] C:\WINDOWS\System32\evefzc.exe
O4 - HKLM\..\Run: [e0j8pw6k] C:\Program Files\e0j8pw6k\e0j8pw6k.exe
O4 - HKLM\..\Run: [gbofdc] C:\WINDOWS\System32\gbofdc.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [lengh] C:\WINDOWS\lengh.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [r3tQ3sP] iedctfrm.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [a024Rij7R] iestopen.exe
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email (http://\"http://esupport.Email\") Removed/help/engine/aolcinst.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0029.exe (http://\"http://www.alwaysupdatednews.com/install/aun_0029.exe\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Thank you in advance!
Post by: guestolo on March 05, 2005, 12:17:37 AM
Let's try some cleanup
Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet
With just these instructions open
Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\Program Files\e0j8pw6k\e0j8pw6k.exe
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system\pijqcwsovj.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Program Files\e0j8pw6k\e0j8pw6k1\e0j8pw6k1.exe
C:\WINDOWS\System32\iestopen.exe
C:\WINDOWS\System32\iedctfrm.exe
C:\Program Files\CxtPls\CxtPls.exe
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daosearch.com (http://\"http://www.daosearch.com\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINDOWS\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: (no name) - {161DA101-8123-45C1-AAE4-7ADEB01E15D4} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll
O2 - BHO: (no name) - {1DACC2C2-4FEE-4338-84B4-54AA14887325} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: SDWin32 Class - {2130EEE8-BAC6-4368-B896-9366D4EFFE50} - C:\WINDOWS\System32\evefz.dll
O2 - BHO: (no name) - {214B8E3A-5723-45F0-87D1-B5C8B3EB6270} - C:\Program Files\e0j8pw6k\e0j8pw6k.d
O2 - BHO: CAUN Object - {59F12660-2B92-4554-98F9-87295AD8A0CE} - C:\WINDOWS\System32\AUNBHO.dll
O2 - BHO: SDWin32 Class - {5E628A36-6418-42F7-89CA-4D78ED339511} - C:\WINDOWS\System32\gbofd.dll
O2 - BHO: (no name) - {61D42E9C-C45B-4D18-9B21-C66703369E49} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FA09E69-83C1-431C-A62A-3A40832FE237} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {6FFD7092-A7A9-469F-9AE8-6DE9776526BF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {70A2742F-C332-40F8-84B5-3B99B8095F59} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {9F0C8B3A-89F7-4502-BDFF-1C2698DF0260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {BC990AC2-6D29-4CF2-970E-F1191D9E9591} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CBAB2061-0040-481F-AAAA-A49BA9B8004C} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {CCAB71F2-5F14-4668-A099-71A86EDAC5A5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D5017D4A-9852-4378-9441-57A08809AF69} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {D65D83BA-A249-43CD-8570-6EA57D56C312} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ECBBFD71-AED6-45F6-8A7B-EB7132C3EFE5} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O2 - BHO: (no name) - {F16A5A17-15EE-4C70-B1A0-B36939AB4EFE} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {F1AADC4F-D3C9-44C4-A3C4-FD3350D08706} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O2 - BHO: (no name) - {FB28486E-4CEB-4641-BE8B-B490946D158D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll
O4 - HKLM\..\Run: [crulfxn] c:\windows\system32\crulfxn.exe
O4 - HKLM\..\Run: [evefzc] C:\WINDOWS\System32\evefzc.exe
O4 - HKLM\..\Run: [e0j8pw6k] C:\Program Files\e0j8pw6k\e0j8pw6k.exe
O4 - HKLM\..\Run: [gbofdc] C:\WINDOWS\System32\gbofdc.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\System32\netsync.exe
O4 - HKLM\..\Run: [lengh] C:\WINDOWS\lengh.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
O4 - HKLM\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [r3tQ3sP] iedctfrm.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [a024Rij7R] iestopen.exe
O4 - HKCU\..\Run: [ptech] C:\WINDOWS\System32\ptech.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0029.exe (http://\"http://www.alwaysupdatednews.com/install/aun_0029.exe\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.
Additionally, for any .dll file, select the "Unregister .dll before deleting" selection
Do the same for all these:
c:\windows\system32\crulfxn.exe
C:\WINDOWS\System32\evefzc.exe
C:\Program Files\e0j8pw6k\e0j8pw6k.exe
C:\WINDOWS\System32\gbofdc.exe
C:\WINDOWS\System32\netsync.exe
C:\WINDOWS\lengh.exe
C:\WINDOWS\System32\ntddetect.exe
C:\WINDOWS\System32\iestopen.exe
C:\WINDOWS\System32\iedctfrm.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\e0j8pw6k\e0j8pw6k.dll
C:\WINDOWS\cerbmod.dll
C:\WINDOWS\Helper101.dll
C:\WINDOWS\System32\AUNBHO.dll
C:\WINDOWS\System32\gbofd.dll
C:\WINDOWS\System32\evefz.dll
Finally, in Full Path of File to Delete, copy and paste the following:
C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll
Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted
When restarting please try and Restart your computer into safe mode
You can do this by tapping the F8 key as the system is booting up
In safe mode
Find and delete these folders if found
C:\Program Files\e0j8pw6k <--foldr
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}\SVCHOST.EXE
C:\Program Files\CxtPls
Go to Control Panel > Display.
Click on the "Desktop" tab then click the "Customize Desktop" button.
Click on the "Web" tab.
Uncheck everything
Restart back to Normal mode
When back in Windows, ignore any error messages if received
Go back and do another scan with Hijackthis and fix this entry if found
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Jamie\LOCALS~1\Temp\se.dll,DllInstall
Restart the computer again
Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
When the above has been completed, post back with a Fresh Hijackthis log
Post by: liptonite on March 05, 2005, 07:21:55 AM
1. I couldn't find the C:\programfiles\cxtpls after restaring in safe mode....I did find a file called cxtpls_loader in Windows\System32\cache but I left it alone.
2. after I restarted in normal mode and did highjack scan...I could not see the 04 HKLM:run:sp rundll .... in the list. Anyways my computer is at least running a little better and I am so thankful for your help so far.
Here is the latest highjack file:Logfile of HijackThis v1.99.1
Scan saved at 7:09:41 AM, on 3/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system\pijqcwsovj.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\HEWLET~1\HPINST~1\common\MOTIVE~1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\System32\wpabaln.exe
C:\hjt\HijackThis.exe
O2 - BHO: (no name) - {018FA0F5-A1F1-44FF-8E72-FBACEFFCBBF6} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {0A3F5242-3AA8-45D4-AD9C-EE1234606B9B} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {52677A1B-99AE-47FA-9E07-4C861D593793} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {78E2A86A-9E25-4DA0-AB08-CAB87445D6AD} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C830D87-E0D2-4317-B525-F3A5D9082BB9} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C8DD051-CFD2-4176-AF97-F4735CE80576} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8E297348-C6E9-4A72-9F53-1B742E93ACFF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {98DE1DC3-47FB-4E39-B725-702A9A6377EA} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A3B8472C-3A26-4DC7-88B5-E6D43A8821F3} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A608561D-C42E-457E-9CD6-29E3FE983EAF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {E5A10F8A-F508-4D90-8CEB-BB34653E7762} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {F67FC7D3-52B4-496C-A930-7E405768A260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {FCAECA6F-9AB8-4BD5-9974-CD3D8A6EEF8D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email (http://\"http://esupport.Email\") Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Post by: guestolo on March 05, 2005, 03:22:41 PM
Save the rest of these instructions to a Notepad file and leave it open on the desktop
Disconnect from the Internet
With just these instructions open
Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system\pijqcwsovj.exe
Do another scan with Hijackthis and put a check next to these entries:
O2 - BHO: (no name) - {018FA0F5-A1F1-44FF-8E72-FBACEFFCBBF6} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {0A3F5242-3AA8-45D4-AD9C-EE1234606B9B} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {52677A1B-99AE-47FA-9E07-4C861D593793} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {78E2A86A-9E25-4DA0-AB08-CAB87445D6AD} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C830D87-E0D2-4317-B525-F3A5D9082BB9} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8C8DD051-CFD2-4176-AF97-F4735CE80576} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {8E297348-C6E9-4A72-9F53-1B742E93ACFF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {98DE1DC3-47FB-4E39-B725-702A9A6377EA} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A3B8472C-3A26-4DC7-88B5-E6D43A8821F3} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {A608561D-C42E-457E-9CD6-29E3FE983EAF} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {E5A10F8A-F508-4D90-8CEB-BB34653E7762} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {F67FC7D3-52B4-496C-A930-7E405768A260} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
O2 - BHO: (no name) - {FCAECA6F-9AB8-4BD5-9974-CD3D8A6EEF8D} - C:\Program Files\e0j8pw6k\e0j8pw6k.dll (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.
Do the same for this file
C:\WINDOWS\system\pijqcwsovj.exe
Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted
Restart into safe mode
Could you navigate to this folder please
C:\WINDOWS\System32\Services\{09FAB745-06F7-4489-9964-62476ED2A383}
Open it and if you see svchost.dll can you remove it
Let me know later what else you see in this subfolder
{09FAB745-06F7-4489-9964-62476ED2A383}
Also make sure these 2 files are gone
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system\pijqcwsovj.exe
and this folder
C:\Program Files\e0j8pw6k
Restart back to Normal mode
Post back a fresh hijackthis log
Let me also know what else you see in this folder
C:\WINDOWS\system32\Cache
Post by: liptonite on March 05, 2005, 06:51:55 PM
Only one subfolder in Services. it was 434AA898-D5EF-46DC-B2FO-C8DA3C008F97.There was a svchost and svchost.dll in that folder but I did not delete because it was not in the folder you named.
cxtpls_loader.exe..Not Found
eoj8pw6k Not Found
pijqcwsovj...Not Found
Files in Windows\system32\cache
20001
Blazevcm7
desktrf-fran-162813
mswinstall
setup66
tvmk14
adl_dh(main MFC Application)
CSv13P108
InstallAPS
pounder(system monitor for Win9...Microsoft Inc)
smartdownload
webrebate_auto_installsilent
AUNIcons
mstub-pal_nmw_a353_r15950
roxydownloader(DL Helper module)
thin-8-1-x-x(www.abetterinternet.com_UT...Better Internet, INC)
wrapperouter
Logfile of HijackThis v1.99.1
Scan saved at 6:30:38 PM, on 3/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\System32\mcidet~1.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\tftgrcoi.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\HEWLET~1\HPINST~1\common\MOTIVE~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [r3tQ3sP] mcidet~1.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - HKCU\..\Run: [a024Rij7R] tftgrcoi.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email (http://\"http://esupport.Email\") Removed/help/engine/aolcinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Post by: guestolo on March 05, 2005, 07:01:39 PM
Delete these subfolders
Windows\system32\services\434AA898-D5EF-46DC-B2FO-C8DA3C008F97
and this one
Windows\system32\cache
and these files
C:\WINDOWS\System32\mcidet~1.exe
C:\WINDOWS\System32\tftgrcoi.exe
In safe mode
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [r3tQ3sP] mcidet~1.exe
O4 - HKCU\..\Run: [a024Rij7R] tftgrcoi.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart back to Normal mode and post back a fresh log
Could you also let me know what else you see in this subfolder
Windows\system32\services
Post by: Guest_Liptonite_* on March 06, 2005, 04:45:19 AM
I've had to run Ad-aware,spybot and spysubtract about 3 times today because of something called PeopleOn Page.As soon as I take it off it comes back but I sent it to the blacklist file now so we'll see what happens. Haven't had any popups though
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />Logfile of HijackThis v1.99.1
Scan saved at 4:43:19 AM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\cmcga11n.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\usrbkend.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\hjt\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [r3tQ3sP] cmcga11n.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - HKCU\..\Run: [a024Rij7R] usrbkend.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email (http://\"http://esupport.Email\") Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Post by: guestolo on March 06, 2005, 02:59:57 PM
Open Ad-Aware and ensure to check for updates
First access your Add/Remove programs and remove if found
POP if found
Save this too a Notepad file on the desktop
Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if still running
C:\WINDOWS\System32\usrbkend.exe
C:\WINDOWS\System32\cmcga11n.exe
Do another scan with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [r3tQ3sP] cmcga11n.exe
O4 - HKCU\..\Run: [a024Rij7R] usrbkend.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Pocket KillBox
click on Tools --> Select Delete Temp Files. Click OK.
In Killbox
At the main screen of Pocket Killbox, select the option: Replace on Reboot
Also tick Use Dummy
In the Full Path of File to Delete box, copy and paste this entry:
C:\WINDOWS\System32\usrbkend.exe
Press the button with a red circle and a white X
Click Yes to Replace
When asked if you would like to Reboot, select No.
Finally, in Full Path of File to Delete, copy and paste the following:
C:\WINDOWS\System32\cmcga11n.exe
Press the button with a red circle and a white X.
When asked to Reboot, select Yes!!
Restart your computer even if not prompted
Restart into Safe mode
Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
Click the SHOW LOGFILE button
Right click and click the SAVE option
Name the file and save it on your desktop
Click the Critical Objects tab
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to Normal mode
Post back with a Fresh Hijackthis log
Could you also open the Saved Ad-Aware log that you save to your desktop
Copy and paste back the contents too, thanks
Come back here and post a fresh Hijackthis log
Post by: Guest_Liptonite_* on March 07, 2005, 10:00:03 AM
04HKLM....{ao24Rij7R]fincm.exe
Do you want me to follow instructions using these instead of the other ones? I appreciate your help
Post by: guestolo on March 07, 2005, 07:49:46 PM
Post by: Guest on March 10, 2005, 03:36:42 AM
Scan saved at 3:36:05 AM, on 3/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\Hpqdirec.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\lmhhits.exe
C:\WINDOWS\System32\sisksie.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\America Online 9.0\shellmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\hjt\HijackThis.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [r3tQ3sP] sisksie.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [a024Rij7R] lmhhits.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email (http://\"http://esupport.Email\") Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
Post by: guestolo on March 10, 2005, 03:39:17 PM
http://securityresponse.symantec.com/avcenter/FixAprop.exe (http://\"http://securityresponse.symantec.com/avcenter/FixAprop.exe\")
Restart into Safe mode and run it, let it scan your hard drive and fix what it finds
Restart back to Normal mode and post a fresh Hijackthis log
Let me know if the tool found anything
Post by: Guest on March 10, 2005, 04:46:18 PM
Scan saved at 4:43:49 PM, on 3/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLHOS~1.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\America Online 9.0\wEmail Removedexe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\COMMON~1\AOL\110906~1\EE\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\hjt\HijackThis.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1109067120\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\Email RemovedEXE" -b
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\HP Instant Support DI\bin\matcli.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab (http://\"http://www.ravantivirus.com/scan/ravonline.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.Email (http://\"http://esupport.Email\") Removed/help/engine/aolcinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{67D84CB9-0D1E-44E4-85E6-92AC18B61FA4}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
the tool did not appear in desktop in safe mode so I ran it in normal mode...here is a log of that
Symantec Spyware.Apropos Removal Tool 1.0.1
process: sisksie.exe (terminated)
process: lmhhits.exe (terminated)
C:\Documents and Settings\Jamie\Local Settings\Temp\AutoUpdate0\auto_update_install.exe: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temp\temp.frCB82: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\4HMB0HAB\AutoUpdaterInstaller[1].exe: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\CT6FG9QR\AproposClientInstaller[1].exe: (deleted)
C:\Documents and Settings\Jamie\Local Settings\Temporary Internet Files\Content.IE5\CT6FG9QR\auto_update[1]: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temp\~apropos0\CxtPls.exe: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temp\~apropos0\pm.exe: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temporary Internet Files\Content.IE5\WDCBCZEV\auto_update[1]: (deleted)
C:\Documents and Settings\T'adore Paris\Local Settings\Temporary Internet Files\Content.IE5\YL34L8FQ\auto_update[1]: (deleted)
C:\Program Files\AutoUpdate\AutoUpdate.exe: (deleted)
C:\Program Files\CxtPls\plg0\cxtpls.dll: (deleted)
C:\WINDOWS\system32\auto_update_uninstall.exe: (deleted)
C:\WINDOWS\system32\lmhhits.exe: (deleted)
C:\WINDOWS\system32\sisksie.exe: (deleted)
C:\WINDOWS\system32\vjokman.exe: (deleted)
C:\WINDOWS\system32\w32_hook.exe: (deleted)
C:\Program Files\CxtPls\ace.dll: (deleted)
C:\Program Files\CxtPls\atl.dll: (deleted)
registry: HKEY_USERS\S-1-5-21-1935655697-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Run: a024Rij7R (value deleted)
registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run: r3tQ3sP (value deleted)
directory C:\Program Files\CxtPls: (deleted)
directory C:\Program Files\AutoUpdate: (deleted)
directory C:\DOCUME~1\Jamie\LOCALS~1\Temp\AutoUpdate0: (deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\AutoLoader (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Apropos (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Envolo (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: AutoUpdater (value deleted)
registry: HKEY_USERS\S-1-5-21-1935655697-926492609-725345543-1004\Software\Classes\CLSID: (Default) (restored)
Spyware.Apropos has been successfully removed from your computer!
Here is the report:
The total number of the scanned files: 28876
The number of deleted threat files: 18
The number of directories deleted: 3
The number of threat processes terminated: 2
The number of registry entries fixed: 16
Post by: guestolo on March 10, 2005, 05:57:46 PM
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Why so far behind on Windows Updates? This is important in keeping your computer secure too