Author Topic: Adware and junks on my computer is slowin me down! (Read 2204 times)

dlo8 · « **on:** January 15, 2005, 11:01:53 PM »

I need help.. my computer runs slow.. and internet explorer status bar is missin all the time (i think it's because "cssearch" but i can't uninstall it)
can anyone help me?

Logfile of HijackThis v1.99.0
Scan saved at 3:06:35 AM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\documents and settings\fish\local settings\temp\UdoLX8.exe
C:\documents and settings\fish\local settings\temp\eNVzIb.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\documents and settings\fish\local settings\temp\E1K9H.exe
C:\documents and settings\fish\local settings\temp\l.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\documents and settings\fish\local settings\temp\UZinV1.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wisptis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Fish\Local Settings\Temp\nWgm6.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UdoLX8] C:\documents and settings\fish\local settings\temp\UdoLX8.exe
O4 - HKLM\..\Run: [eNVzIb] C:\documents and settings\fish\local settings\temp\eNVzIb.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [E1K9H] C:\documents and settings\fish\local settings\temp\E1K9H.exe
O4 - HKLM\..\Run: [l] C:\documents and settings\fish\local settings\temp\l.exe
O4 - HKLM\..\Run: [UZinV1] C:\documents and settings\fish\local settings\temp\UZinV1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Pboqopy] C:\WINDOWS\system32\?|íchost.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clie...nts/y/st2_x.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/Web...ploadClient.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSCo...ol_v1-0-3-0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

guestolo · « **Reply #1 on:** January 15, 2005, 11:10:32 PM »

Did you download Windows CleanUp! as I recommended from one of your posts?
Don't run it yet, I'm just checking

Did you download and install and update SpywareBlaster from that post?
Do it now if you haven't

Let me know the above info so I know which way to get you clean

SpywareBlaster just helps to prevent this kind of stuff

Here's a link to that post
http://www.thetechguide.com/forum/index.ph...topic=12083&hl=

guestolo · « **Reply #2 on:** January 15, 2005, 11:12:18 PM »

Did you uninstall Spybot?

You also mentioned you have Ad-Aware
Can you open it up and click on DETAILS
Let me know Reference No. and Internal Build

dlo8 · « **Reply #3 on:** January 15, 2005, 11:56:39 PM »

hey its you again!
now i am try to clean up another computer of mine (my girlfriend's)
yes.. i do have spyware blaster installed
and of course.. i also have spybot.. 1.3.1

by the way.. thax for the prior post.. now i think my comp is runnin fine

and here is the spybot log for the second computer! (HJT log is the second computer not the first)

--- Search result list ---
ISearchTech.PowerScan: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\BandRest

Altnet: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

Altnet: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\ADM25.ADM25

Altnet: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\ADM4.ADM4

WildMedia: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}

WildMedia: Root class (Registry key, nothing done)
HKEY_CLASSES_ROOT\SearchHelp

WildMedia: Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}

--- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

2004-05-12 blindman.exe (1.0.0.0)
2004-08-30 SpybotSD.exe (1.3.0.12)
2004-05-12 TeaTimer.exe (1.3.0.12)
2004-06-15 unins000.exe (51.15.0.0)
2004-05-12 Update.exe (1.3.0.0)
2004-10-04 advcheck.dll (1.0.1.0)
2004-05-12 borlndmm.dll (7.0.4.453)
2004-05-12 delphimm.dll (7.0.4.453)
2004-05-12 Tools.dll (2.0.0.0)
2004-05-12 UnzDll.dll (1.73.1.1)
2004-05-12 ZipDll.dll (1.73.2.0)
2004-11-29 Includes\Cookies.sbi
2005-01-04 Includes\Dialer.sbi
2005-01-04 Includes\Hijackers.sbi
2004-12-29 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2005-01-04 Includes\Malware.sbi
2004-08-11 Includes\plugin-ignore.ini
2003-11-12 Includes\QA Tests.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-05 Includes\Spybots.sbi
2003-11-21 Includes\Temporary.sbi
2004-11-29 Includes\Tracks.uti
2005-01-04 Includes\Trojans.sbi

--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB890175

--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 66680
MD5: 371d2fa0dfeb9767b3cc7cae1ab21a5a

Located: HK_LM:Run, DwlClient
command: C:\Program Files\Common Files\Dell\EUSW\Support.exe
file: C:\Program Files\Common Files\Dell\EUSW\Support.exe
size: 245760
MD5: 58cd30203ddb67fad6a34aa624fa0141

Located: HK_LM:Run, E1K9H
command: C:\documents and settings\fish\local settings\temp\E1K9H.exe
file: C:\documents and settings\fish\local settings\temp\E1K9H.exe
size: 200770
MD5: 6b829bd4a420ba00794fe6f87cbfcd03

Located: HK_LM:Run, eNVzIb
command: C:\documents and settings\fish\local settings\temp\eNVzIb.exe
file: C:\documents and settings\fish\local settings\temp\eNVzIb.exe
size: 200908
MD5: cf1b6119a8d213702dbc6d754b85e81b

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\System32\hkcmd.exe
file: C:\WINDOWS\System32\hkcmd.exe
size: 114688
MD5: 3a9978c5caec77771ff28eb7a3889639

Located: HK_LM:Run, hwlrwL
command: C:\windows\system32\hwlrwL.exe
file: C:\windows\system32\hwlrwL.exe
size: 233620
MD5: 837aff6886e55e5384e390bcaa6d0f9e

Located: HK_LM:Run, IgfxTray
command: C:\WINDOWS\System32\igfxtray.exe
file: C:\WINDOWS\System32\igfxtray.exe
size: 155648
MD5: 735486208c3a359cab624526e4467257

Located: HK_LM:Run, IMJPMIG8.1
command: "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
file: C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE
size: 208952
MD5: 7bbe4cf421aecc7f0226edd75f12079f

Located: HK_LM:Run, l
command: C:\documents and settings\fish\local settings\temp\l.exe
file: C:\documents and settings\fish\local settings\temp\l.exe
size: 172094
MD5: 1a0c22d0ef0785aed1030af41be32d83

Located: HK_LM:Run, MessengerPlus3
command: "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
file: C:\Program Files\Messenger Plus! 3\MsgPlus.exe
size: 169096
MD5: c39294d45e86155690266d05b2da6d77

Located: HK_LM:Run, mmtask
command: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
file: C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
size: 53248
MD5: 6631470725d1c58a2b9c3ce1ce1929f9

Located: HK_LM:Run, MSPY2002
command: C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
file: C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe
size: 59392
MD5: 1b17e09c1223f6d17336d2dd7a1af4f4

Located: HK_LM:Run, MyPointsPointAlert0
command: "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
file: C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
size: 98304
MD5: a8e8e8d3507939c7b0626c67340f82ba

Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, RVRgiIbY.exe
command: c:\windows\system32\RVRgiIbY.exe
file: c:\windows\system32\RVRgiIbY.exe
size: 176362
MD5: bb6b2e25a5506ea2a92ad583a5cf3313

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: 3cf6bff887af6f733473d81a8921a5c5

Located: HK_LM:Run, UdoLX8
command: C:\documents and settings\fish\local settings\temp\UdoLX8.exe
file: C:\documents and settings\fish\local settings\temp\UdoLX8.exe
size: 233656
MD5: bf22b6762024ca12fee0eab52f43f3fa

Located: HK_LM:Run, UZinV1
command: C:\documents and settings\fish\local settings\temp\UZinV1.exe
file: C:\documents and settings\fish\local settings\temp\UZinV1.exe
size: 172146
MD5: 22a337dd85a7857258e203841863d24a

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTray.exe
file: C:\PROGRA~1\SYMANT~1\VPTray.exe
size: 124128
MD5: 5972a3384ebceaeb99f4216e77ebed59

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, MessengerPlus3
command: "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
file: C:\Program Files\Messenger Plus! 3\MsgPlus.exe
size: 169096
MD5: c39294d45e86155690266d05b2da6d77

Located: HK_CU:Run, msnmsgr
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 4849664
MD5: 9c588e9844ba27135f0c4147d1b38c07

Located: HK_CU:Run, STYLEXP
command: C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

Located: Startup (user), AntiCrash.lnk
command: C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
file: C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
size: 2301798
MD5: d650e0bb24c1c4d796fd2e88e8fdfeff

Located: Startup (user), Hare.lnk
command: C:\Program Files\Dachshund Software\Hare\Hare.exe
file: C:\Program Files\Dachshund Software\Hare\Hare.exe
size: 1874381
MD5: a4df641cda8a91a844b1f069ca2daf4c

Located: Startup (user), Zoom.lnk
command: C:\Program Files\Dachshund Software\Zoom\Zoom.exe
file: C:\Program Files\Dachshund Software\Zoom\Zoom.exe
size: 1446302
MD5: 46852612f2d80b11517055eb208a2f15

Located: WinLogon, crypt32chain
command: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll

Located: WinLogon, igfxcui
command: igfxsrvc.dll

Located: WinLogon, NavLogon
command: C:\WINDOWS\system32\NavLogon.dll
file: C:\WINDOWS\system32\NavLogon.dll
size: 83176
MD5: 55dc54c87fa324a4cd32b3b407307671

Located: WinLogon, ScCertProp
command: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll

--- Browser helper object list ---
{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} (Search Help)
BHO name: Search Help
CLSID name: CSearchHelpIEExtension Object
Path: C:\Documents and Settings\Fish\Local Settings\Temp\
Long name: 36UFp.dll
Short name:
Date (created): 1/14/2005 1:32:14 PM
Date (last access): 1/15/2005 8:50:58 PM
Date (last write): 1/14/2005 1:37:16 PM
Filesize: 119057
Attributes: archive
MD5: 2FFB83A22D7DBC19A1039E84DF51FD59
CRC32: 8E321627
Version: 0.1.0.0

--- ActiveX list ---
Yahoo! Pool 2 (Yahoo! Pool 2)
DPF name: Yahoo! Pool 2
CLSID name:

Yahoo! Spades (Yahoo! Spades)
DPF name: Yahoo! Spades
CLSID name:

{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine)
DPF name:
CLSID name: Office Update Installation Engine
Path: C:\WINDOWS\
Long name: opuc.dll
Short name:
Date (created): 8/27/2003 3:10:30 AM
Date (last access): 1/15/2005 9:48:28 PM
Date (last write): 8/27/2003 3:10:30 AM
Filesize: 314368
Attributes: archive
MD5: 1E32EC4A8A17B19926B49EA5F6B79A76
CRC32: E98FC293
Version: 0.11.0.0

{4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class)
DPF name:
CLSID name: EPUImageControl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: EPUWalcontrol.dll
Short name: EPUWAL~1.DLL
Date (created): 5/15/2004 2:14:18 PM
Date (last access): 1/15/2005 9:47:10 PM
Date (last write): 5/15/2004 2:14:18 PM
Filesize: 884736
Attributes: archive
MD5: ACBDA0F01F0A678AB5E6CC9080708C7D
CRC32: B21B099F
Version: 0.1.0.0

{D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class)
DPF name:
CLSID name: Uploader Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: WebUploadClient.dll
Short name: WEBUPL~1.DLL
Date (created): 10/25/2004 11:19:30 AM
Date (last access): 1/15/2005 9:47:10 PM
Date (last write): 10/25/2004 11:19:30 AM
Filesize: 3612672
Attributes: archive
MD5: 09A8259560E8342F8FB095399D3442F6
CRC32: 4A52C06A
Version: 0.2.0.0

{E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class)
DPF name:
CLSID name: EPSImageControl Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: EPScontrol.dll
Short name: EPSCON~1.DLL
Date (created): 1/12/2004 9:49:20 AM
Date (last access): 1/15/2005 9:47:10 PM
Date (last write): 1/12/2004 9:49:20 AM
Filesize: 885248
Attributes: archive
MD5: C69F7705F630B2204DBF13B1F30804AE
CRC32: 15BAE482
Version: 0.1.0.0

--- Process list ---

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 124 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 160 ( 364) C:\documents and settings\fish\local settings\temp\E1K9H.exe
PID: 240 ( 364) C:\documents and settings\fish\local settings\temp\l.exe
PID: 312 ( 364) C:\documents and settings\fish\local settings\temp\UZinV1.exe
PID: 348 ( 364) C:\windows\system32\hwlrwL.exe
PID: 364 ( 328) C:\WINDOWS\Explorer.EXE
PID: 432 ( 700) C:\WINDOWS\system32\cisvc.exe
PID: 444 ( 700) C:\Program Files\Symantec AntiVirus\DefWatch.exe
PID: 460 ( 700) C:\Program Files\Executive Software\Diskeeper\DkService.exe
PID: 524 ( 700) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 584 ( 4) \SystemRoot\System32\smss.exe
PID: 608 ( 700) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PID: 632 ( 584) csrss.exe
PID: 656 ( 584) \??\C:\WINDOWS\system32\winlogon.exe
PID: 700 ( 656) C:\WINDOWS\system32\services.exe
PID: 712 ( 656) C:\WINDOWS\system32\lsass.exe
PID: 716 ( 364) C:\windows\system32\RVRgiIbY.exe
PID: 868 ( 700) C:\WINDOWS\system32\svchost.exe
PID: 912 ( 904) C:\WINDOWS\SYSTEM32\RVRgiIbY.exe
PID: 952 ( 700) svchost.exe
PID: 1048 ( 364) C:\Program Files\Internet Explorer\iexplore.exe
PID: 1064 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 1092 ( 700) C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
PID: 1176 ( 700) svchost.exe
PID: 1248 ( 964) C:\Program Files\MSN Messenger\msnmsgr.exe
PID: 1264 ( 364) C:\WINDOWS\system32\ctfmon.exe
PID: 1296 ( 364) C:\WINDOWS\System32\hkcmd.exe
PID: 1316 ( 700) svchost.exe
PID: 1388 ( 700) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
PID: 1420 ( 364) C:\Program Files\Common Files\Dell\EUSW\Support.exe
PID: 1424 ( 700) wdfmgr.exe
PID: 1448 ( 700) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
PID: 1612 ( 364) C:\Program Files\Messenger Plus! 3\MsgPlus.exe
PID: 1648 ( 364) C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 1656 ( 364) C:\PROGRA~1\SYMANT~1\VPTray.exe
PID: 1700 ( 364) C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
PID: 1720 ( 364) C:\documents and settings\fish\local settings\temp\UdoLX8.exe
PID: 1728 ( 364) C:\documents and settings\fish\local settings\temp\eNVzIb.exe
PID: 2024 ( 700) C:\WINDOWS\system32\spoolsv.exe
PID: 2096 (1676) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 2296 (1668) C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
PID: 2308 ( 364) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 2348 (2296) C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
PID: 2460 ( 700) alg.exe
PID: 2664 (1584) C:\WINDOWS\Integrator.exe
PID: 3064 ( 432) C:\WINDOWS\system32\cidaemon.exe
PID: 3192 ( 700) C:\WINDOWS\System32\svchost.exe
PID: 3956 ( 364) C:\Program Files\Windows Media Player\wmplayer.exe
Spybot - Search && Destroy process list report, 1/15/2005 9:50:39 PM

--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/15/2005 9:50:39 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://home.microsoft.com/access/allinone.asp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://home.microsoft.com/search/lobby/search.asp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.dellnet.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?p...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.dellnet.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?p...=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/src...st/srchcust.htm

--- Winsock Layered Service Provider list ---

mostly the most annoyin one is that i can't remove "CSearchHelpIEExtension Object" that i found with ToolBar Cop.. cause i would remove it but then next time i restart.. it would restart also and mess up my internet explorer..
and sometimes when i load a page on this computer it takes me to some ad234.com.. something like that..
hope this helps!

dlo8 · « **Reply #4 on:** January 15, 2005, 11:57:53 PM »

and do u think i can safely delete all my \Local Settings\Temp folder's files?

guestolo · « **Reply #5 on:** January 16, 2005, 12:44:57 AM »

Quote

and do u think i can safely delete all my \Local Settings\Temp folder's files

Yup
Here's what I would do dlo8

First off
Download and Install this small program
to help clean your temp folders,cookies, prefetch folder, etc...
Windows Cleanup
Install it for now but Don't run a scan yet
A great little utility to assist in cleaning those temp folders
You'll be surprised what a person can miss

After that is done
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Restart your computer into SAFE MODE

Access the Add/remove Programs and remove if found
MidAdle
You may also want to remove
MyPoints

Find and delete these files or folders if they exist
C:\Program Files\MyPoints_PointAlert <--folder

Again in safe mode
Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Fish\Local Settings\Temp\nWgm6.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe" <--fix this line even if you decide not to remove it, it's not needed on startup

O4 - HKLM\..\Run: [UdoLX8] C:\documents and settings\fish\local settings\temp\UdoLX8.exe
O4 - HKLM\..\Run: [eNVzIb] C:\documents and settings\fish\local settings\temp\eNVzIb.exe

O4 - HKLM\..\Run: [E1K9H] C:\documents and settings\fish\local settings\temp\E1K9H.exe
O4 - HKLM\..\Run: [l] C:\documents and settings\fish\local settings\temp\l.exe
O4 - HKLM\..\Run: [UZinV1] C:\documents and settings\fish\local settings\temp\UZinV1.exe

O4 - HKCU\..\Run: [Pboqopy] C:\WINDOWS\system32\?|íchost.exe

O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)

If you uninstalled Toolbarcop
Fix the next ones too
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\\ToolbarCop.exe (file missing) (HKCU)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

In safe mode, open Windows CleanUp! and click the Cleanup button
Let it finish scanning for files, when it's done it will prompt you to log off
Simply Restart back to Normal Mode

NOTE: If you choose not to Install Cleanup you will have to manually delete All the temp folders contents, Cleanup makes this real easy

When Back in Windows

Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to finish the cleaning process

Post back with a Fresh Hijackthis log afterwards

Could you also
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
Change the Save as type as All files
Name the file as find.bat
Save it on the desktop

Quote

dir C:\WINDOWS\System32\?|íchost.exe /a h > files.txt
notepad files.txt

Double click on find.bat
It will generate a txt file called files.txt
Post back the findings

If it was blank I don't need to see the output
But search in your System32 folder for a file close to the name
?|íchost.exe
You won't be able to see the ? mark, but look for something similiar
It may not exist
If it does
Right click on it and left click properties
Let me know file size and date created
svchost.exe is legitimate

Can you go to this site please
Give the link time to load
http://virusscan.jotti.dhs.org/
Use the Browse button at the top of that links page and navigate to this file
c:\windows\system32\RVRgiIbY.exe <--this file, notice the spelling
Right click on it and Select it
Use the Submit button on the site
Wait for the scan results and post them back here

Do the same for this file
C:\windows\system32\hwlrwL.exe

By the way, thanks for the Spybot log
I only need to see a fresh hijackthis log afterwards and the info from that Online Malware scan about those two files
and the files.txt log from find.bat

Guest · « **Reply #6 on:** January 19, 2005, 07:53:45 PM »

for C:\windows\system32\hwlrwL.exe

Service load: 0% 100%

File: hwlrwL.exe
Status: INFECTED/MALWARE
Packers detected: None

AntiVir TR/Dldr.BlaBlockz.1 (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.34 seconds taken)
ClamAV No viruses found (0.46 seconds taken)
Dr.Web Trojan.StatBlasterAd (0.53 seconds taken)
F-Prot Antivirus No viruses found (0.08 seconds taken)
Kaspersky Anti-Virus No viruses found (0.66 seconds taken)
mks_vir No viruses found (0.22 seconds taken)
NOD32 No viruses found (0.40 seconds taken)
Norman Virus Control No viruses found (1.05 seconds taken)

(so how can i clean it now?)

c:\windows\system32\RVRgiIbY.exe

i couldn't find the file... so i do a system scan for that file and i got "C:\WINDOWS\Prefetch\RVRGIIBY.EXE-0251740E.pf) but no actual exe file.. so what should i do now?

file.txt returns nothin

Logfile of HijackThis v1.99.0
Scan saved at 5:49:42 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\windows\system32\RVRgiIbY.exe
C:\windows\system32\hwlrwL.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\RVRgiIbY.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\Integrator.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert1.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\SYSTEM32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Executive Software\Diskeeper\DfrgNTFS.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RVRgiIbY.exe] c:\windows\system32\RVRgiIbY.exe
O4 - HKLM\..\Run: [hwlrwL] C:\windows\system32\hwlrwL.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: Zoom.lnk = C:\Program Files\Dachshund Software\Zoom\Zoom.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: MyPoints - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Point Alert - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clie...nts/y/st2_x.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/Web...ploadClient.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSCo...ol_v1-0-3-0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

that's all for now.. see what you got!

guestolo · « **Reply #7 on:** January 19, 2005, 08:30:29 PM »

Open Hijackthis>>Open the Misc tools section
Open the Process Manager and kill these processes if still running
C:\windows\system32\RVRgiIbY.exe
C:\windows\system32\hwlrwL.exe
C:\WINDOWS\SYSTEM32\RVRgiIbY.exe <--both occurances

NEXT: Back in Hijackthis' Misc Tools section
Click the Delete file on Reboot button

Copy and paste the whole Path of file to delete in bold into the File Name field

C:\windows\system32\hwlrwL.exe

Click the Open button, Hijackthis may prompt you that you need to Restart your computer
DON'T at this time

Instead use Delete file on Reboot for this full path of the file name too

C:\windows\system32\RVRgiIbY.exe

Again, Don't allow to Restart yet

Instead
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [RVRgiIbY.exe] c:\windows\system32\RVRgiIbY.exe
O4 - HKLM\..\Run: [hwlrwL] C:\windows\system32\hwlrwL.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

This file is in your Prefetch folder
RVRGIIBY.EXE-0251740E.pf

Windows CleanUp! should take care of it for you
Again, open CleanUp and click the Cleanup button
Allow it to scan for files, when it's done and it prompts you to log off, Don't

Instead
RESTART your Computer

Post back with a fresh hijackthis log
Are you choosing to hold onto MyPoints_PointAlert?

Also make sure that these files are gone
C:\WINDOWS\Prefetch\RVRGIIBY.EXE
C:\windows\system32\RVRgiIbY.exe
C:\windows\system32\hwlrwL.exe
Make sure you are showing hidden files and folders

Guest · « **Reply #8 on:** January 19, 2005, 10:32:28 PM »

here you go!
after all..... i remove mypoint....

Logfile of HijackThis v1.99.0
Scan saved at 8:29:59 PM, on 1/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\DIGStream\digstream.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clie...ts/y/pote_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clie...nts/y/st2_x.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab
O16 - DPF: {D44C75D8-C827-473E-8F68-A77E42500782} (Uploader Class) - http://photo.walmart.com/photo/uploads/Web...ploadClient.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSCo...ol_v1-0-3-0.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp WinStyler Theme Service - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe

hope this is clean now! please check carefully!

guestolo · « **Reply #9 on:** January 20, 2005, 12:05:39 AM »

Looks good, how's everything?

If everything is running smooth now you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point

Here's a link, just in case your unsure how to
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm

Before you Restart the computer
Do another scan with Hijackthis and put a check next to these entries:

O9 - Extra button: (no name) - {67B50696-04BA-48ea-A697-28AA0EAA9C26} - file://C:\Program Files\MyPoints_PointAlert\Sy800\Tp800\scri800a.htm (file missing) (HKCU)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

Restart your computer
Remember to re-enable system restore when your back in Windows

Find and delete this folder if it exists
C:\Program Files\MyPoints_PointAlert <--folder

You should set up extra protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!

Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Guest · « **Reply #10 on:** January 20, 2005, 10:20:36 PM »

aiight.. i guess everythin is better now!
thanx bud!

guestolo · « **Reply #11 on:** January 20, 2005, 10:26:39 PM »

Glad to help out
Stay safe

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: Adware and junks on my computer is slowin me down! (Read 2204 times)

dlo8

Adware and junks on my computer is slowin me down!

guestolo

Adware and junks on my computer is slowin me down!

guestolo

Adware and junks on my computer is slowin me down!

dlo8

Adware and junks on my computer is slowin me down!

dlo8

Adware and junks on my computer is slowin me down!

guestolo

Adware and junks on my computer is slowin me down!

Guest

Adware and junks on my computer is slowin me down!

guestolo

Adware and junks on my computer is slowin me down!

Guest

Adware and junks on my computer is slowin me down!

guestolo

Adware and junks on my computer is slowin me down!

Guest

Adware and junks on my computer is slowin me down!

guestolo

Adware and junks on my computer is slowin me down!