Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - catshere

Pages: [1]
1
Tech Clinic / Cannot delete program in my start up file
« on: January 24, 2005, 11:56:56 AM »
sorry so many new programs to use.. I ran the VX2 program.. it found nothing... here is the HJT log

Logfile of HijackThis v1.99.0
Scan saved at 9:56:05 AM, on 1/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KNBVRK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CALC.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: ZServObj Class - {00000000-C1EC-0345-6EC2-4D0300000000} - C:\WINDOWS\ZSERV.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB

2
Tech Clinic / Cannot delete program in my start up file
« on: January 24, 2005, 10:46:41 AM »
Thank you so much for your assistance.  Here is the log file from the HJT scan. I did notice files referring to the VX2 that you referred to in the scan of my pc. I curretly use Spy Sweeper, it found the files but as soon as it deleted them they would come back.
I downloaded the VX2 finder and I am about to download the spybot program.  One question.. What is this VX2 that you referred to, and what are the risks to my system and privacy with my not knowing it is on my pc?


ArchiveData(adwarequarantine.bckp)
Referencefile : SE1R25 11.01.2005
======================================================

IMISERVER IEPLUGIN
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\SYSTB.DLL
obj[2]=Regkey : wbho.band.1
obj[3]=RegValue : wbho.band.1 ""
obj[4]=Regkey : wbho.band
obj[5]=RegValue : wbho.band ""
obj[6]=Regkey : typelib\{57add57b-173e-418a-8f70-17e5c9f2bcc9}
obj[7]=Regkey : interface\{3e589169-86ad-44fe-b426-f0bf105d5582}
obj[8]=RegValue : interface\{3e589169-86ad-44fe-b426-f0bf105d5582} ""
obj[9]=Regkey : clsid\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}
obj[10]=RegValue : clsid\{01f44a8a-8c97-4325-a378-76e68dc4ab2e} ""
obj[11]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{01f44a8a-8c97-4325-a378-76e68dc4ab2e}
obj[54]=Regkey : software\intexp
obj[55]=RegValue : software\microsoft\internet explorer\toolbar "{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB}"
obj[56]=File : C:\WINDOWS\wupdt.exe
obj[57]=File : C:\WINDOWS\systb.dll
obj[58]=File : C:\WINDOWS\redir.txt
obj[59]=File : C:\WINDOWS\lu.dat

VX2
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Process : C:\WINDOWS\LOCALNRD.DLL
obj[12]=Regkey : typelib\{3fa866ac-40d7-4fe6-babf-78ee854a4325}
obj[13]=Regkey : localnrddll.localnrddllobj.1
obj[14]=RegValue : localnrddll.localnrddllobj.1 ""
obj[15]=Regkey : localnrddll.localnrddllobj
obj[16]=RegValue : localnrddll.localnrddllobj ""
obj[17]=Regkey : interface\{a42c0ef4-1c76-43cc-989f-eadc7e4b755d}
obj[18]=RegValue : interface\{a42c0ef4-1c76-43cc-989f-eadc7e4b755d} ""
obj[19]=Regkey : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad}
obj[20]=RegValue : clsid\{00320615-b6c2-40a6-8f99-f1c52d674fad} ""
obj[21]=Regkey : software\microsoft\windows\currentversion\explorer\browser helper objects\{00320615-b6c2-40a6-8f99-f1c52d674fad}
obj[22]=RegValue : .DEFAULT\software\localnrd "LNI0d1OfSInst"
obj[40]=File : c:\WINDOWS\SYSTEM32\randreco.exe
obj[42]=File : c:\WINDOWS\TEMP\banner.exe
obj[60]=Regkey : software\localnrd
obj[61]=RegValue : software\localnrd "LNI0d1OfSInst"
obj[62]=RegValue : software\localnrd "LNC0n1trMsgSDisp"
obj[63]=RegValue : software\localnrd "LNI0d1OfSDist"
obj[64]=RegValue : software\localnrd "LNT0o1pListSPos"
obj[65]=RegValue : software\localnrd "LNs0t1icky1S"
obj[66]=RegValue : software\localnrd "LNs0t1icky2S"
obj[67]=RegValue : software\localnrd "LNs0t1icky3S"
obj[68]=RegValue : software\localnrd "LNs0t1icky4S"
obj[69]=RegValue : software\localnrd "LNC1o0d1eOfSFinalAd"
obj[70]=RegValue : software\localnrd "LNT0i1m2eOfSFinalAd"
obj[71]=RegValue : software\localnrd "LND0s1tSSEnd"
obj[72]=RegValue : software\localnrd "LN0N1a2tionSCode"
obj[73]=RegValue : software\localnrd "LNP0D1om"
obj[74]=RegValue : software\localnrd "LNI0n1ProgSCab"
obj[75]=RegValue : software\localnrd "LNI0n1ProgSEx"
obj[76]=RegValue : software\localnrd "LNI0n1ProgSLstest"
obj[77]=RegValue : software\localnrd "LNL0a1stSSChckin"
obj[78]=RegValue : software\localnrd "LNB0D1om"
obj[79]=RegValue : software\localnrd "LNC0u1rrentSMode"
obj[80]=RegValue : software\localnrd "LNC0n1tFyl"
obj[81]=RegValue : software\localnrd "LNM0o1deSSync"
obj[82]=RegValue : software\localnrd "LNT0h1rshSBath"
obj[83]=RegValue : software\localnrd "LNT0h1rshSysSInf"
obj[84]=RegValue : software\localnrd "LNT0h1rshSCheckSIn"
obj[85]=RegValue : software\localnrd "LNT0h1rshSMots"
obj[86]=RegValue : software\localnrd "LNL0n1Title"
obj[87]=RegValue : software\localnrd "LNI0g1noreS"
obj[88]=RegValue : software\localnrd "LND0s1tSCHost"
obj[89]=RegValue : software\localnrd "LND0s1tSCPath"
obj[90]=RegValue : software\localnrd "LNS0t1atusOfSInst"
obj[91]=RegValue : software\localnrd "LNL0a1stMotsSDay"
obj[92]=Regkey : software\vendor\xml
obj[93]=RegValue : software\vendor\xml ""
obj[94]=Regkey : software\vendor
obj[95]=Regkey : .default\software\localnrd
obj[96]=RegValue : .default\software\localnrd "LNC0n1trMsgSDisp"
obj[97]=RegValue : .default\software\localnrd "LNI0d1OfSDist"
obj[98]=RegValue : .default\software\localnrd "LNT0o1pListSPos"
obj[99]=RegValue : .default\software\localnrd "LNs0t1icky1S"
obj[100]=RegValue : .default\software\localnrd "LNs0t1icky2S"
obj[101]=RegValue : .default\software\localnrd "LNs0t1icky3S"
obj[102]=RegValue : .default\software\localnrd "LNs0t1icky4S"
obj[103]=RegValue : .default\software\localnrd "LNC1o0d1eOfSFinalAd"
obj[104]=RegValue : .default\software\localnrd "LNT0i1m2eOfSFinalAd"
obj[105]=RegValue : .default\software\localnrd "LND0s1tSSEnd"
obj[106]=RegValue : .default\software\localnrd "LN0N1a2tionSCode"
obj[107]=RegValue : .default\software\localnrd "LNP0D1om"
obj[108]=RegValue : .default\software\localnrd "LNI0n1ProgSCab"
obj[109]=RegValue : .default\software\localnrd "LNI0n1ProgSEx"
obj[110]=RegValue : .default\software\localnrd "LNI0n1ProgSLstest"
obj[111]=RegValue : .default\software\localnrd "LNL0a1stSSChckin"
obj[112]=RegValue : .default\software\localnrd "LNB0D1om"
obj[113]=RegValue : .default\software\localnrd "LNC0u1rrentSMode"
obj[114]=RegValue : .default\software\localnrd "LNC0n1tFyl"
obj[115]=RegValue : .default\software\localnrd "LNM0o1deSSync"
obj[116]=RegValue : .default\software\localnrd "LNT0h1rshSBath"
obj[117]=RegValue : .default\software\localnrd "LNT0h1rshSysSInf"
obj[118]=RegValue : .default\software\localnrd "LNT0h1rshSCheckSIn"
obj[119]=RegValue : .default\software\localnrd "LNT0h1rshSMots"
obj[120]=RegValue : .default\software\localnrd "LNL0n1Title"
obj[121]=RegValue : .default\software\localnrd "LNI0g1noreS"
obj[122]=RegValue : .default\software\localnrd "LND0s1tSCHost"
obj[123]=RegValue : .default\software\localnrd "LND0s1tSCPath"
obj[124]=RegValue : .default\software\localnrd "LNS0t1atusOfSInst"
obj[125]=RegValue : .default\software\localnrd "LNL0a1stMotsSDay"
obj[126]=RegValue : software\microsoft\internet explorer\toolbar\webbrowser "{0E5CBF21-D15F-11D0-8301-00AA005B4383}"
obj[127]=File : C:\WINDOWS\inf\LOCALNRD.INF
obj[128]=File : C:\WINDOWS\TEMP\dummy.htm

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[23]=RegData : Software\Microsoft\Internet Explorer\Main "Search Page"
obj[24]=RegData : Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[25]=RegData : Software\Microsoft\Internet Explorer\Search "SearchAssistant"
obj[26]=RegData : Software\Microsoft\Internet Explorer\Search "CustomizeSearch"
obj[27]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Page"
obj[28]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\Main "Search Bar"
obj[29]=RegData : .DEFAULT\Software\Microsoft\Internet Explorer\SearchURL ""

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[30]=IECache Entry : Cookie:[email protected]/
obj[31]=IECache Entry : Cookie:[email protected]/
obj[32]=IECache Entry : Cookie:[email protected]/
obj[33]=IECache Entry : Cookie:[email protected]/
obj[34]=IECache Entry : C:\WINDOWS\Cookies\cathy@apmebf[1].txt
obj[35]=IECache Entry : C:\WINDOWS\Cookies\cathy@overstock[2].txt
obj[36]=IECache Entry : C:\WINDOWS\Cookies\[email protected][2].txt
obj[37]=IECache Entry : C:\WINDOWS\Cookies\cathy@247realmedia[1].txt
obj[38]=IECache Entry : C:\WINDOWS\Cookies\cathy@seeq[1].txt
obj[39]=IECache Entry : C:\WINDOWS\Cookies\cathy@cgi-bin[2].txt
obj[43]=IECache Entry : c:\WINDOWS\Cookies\cathy@apmebf[1].txt
obj[44]=IECache Entry : c:\WINDOWS\Cookies\cathy@overstock[2].txt
obj[45]=IECache Entry : c:\WINDOWS\Cookies\[email protected][2].txt
obj[46]=IECache Entry : c:\WINDOWS\Cookies\cathy@247realmedia[1].txt
obj[47]=IECache Entry : c:\WINDOWS\Cookies\cathy@seeq[1].txt
obj[48]=IECache Entry : c:\WINDOWS\Cookies\cathy@cgi-bin[2].txt
obj[49]=IECache Entry : c:\WINDOWS\Cookies\cathy@advertising[1].txt
obj[50]=IECache Entry : c:\WINDOWS\Cookies\cathy@2o7[2].txt
obj[51]=IECache Entry : c:\WINDOWS\Cookies\[email protected][1].txt
obj[52]=IECache Entry : c:\WINDOWS\Cookies\cathy@doubleclick[1].txt

ELITUM.ELITEBARBHO
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[41]=File : c:\WINDOWS\TEMP\THI3270.TMP\preInsln.exe
obj[53]=File : c:\WINDOWS\PREINSLN.EXE

3
Tech Clinic / Cannot delete program in my start up file
« on: January 23, 2005, 05:03:54 PM »
I have tried to delete these but had no success.  My spyware program finds them but everytime i delete them they come back.  I downloaded the HJT program you recommended in another forum and here is the log.
Please tell me what I can do...


Logfile of HijackThis v1.99.0
Scan saved at 3:06:55 PM, on 1/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KNBVRK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\CALC.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [knbvrk] c:\windows\system\knbvrk.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeComm...s/WalletCab.CAB

Pages: [1]