1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

401 EVP HijackThis Log

Discussion in 'Virus & Other Malware Removal' started by gary2, Sep 23, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. gary2

    gary2 Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    3
    Hi, I keep getting the 401 EVP warning in IE.
    I ran HijackThis and recieved the following log.
    Any Help as to which ones should be removed would be greatly appreciated.
    Thanks:)

    Logfile of HijackThis v1.97.2
    Scan saved at 3:50:38 PM, on 9/23/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    D:\PROGRAM FILES\TREND\PCCIOMON.EXE
    D:\PROGRAM FILES\TREND\PCCPFW.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    D:\PROGRAM FILES\PINNACLE\PINNACLE PCTV\REMOTE\REMOTERM.EXE
    C:\WINDOWS\RUNDLL32.EXE
    D:\PROGRAM FILES\TREND\PCCGUIDE.EXE
    D:\PROGRAM FILES\TREND\PCCCLIENT.EXE
    D:\PROGRAM FILES\TREND\POP3TRAP.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    D:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    D:\PROGRAM FILES\DUNMON\DUNMON.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.fastwebfinder.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.fastwebfinder.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\securityID=816093-MS03-011&privacyAPI32=x401.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [PCTVRemote] d:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
    O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Program Files\Trend\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "D:\Program Files\Trend\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Program Files\Trend\Pop3trap.exe"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [1A:Stardock TrayMonitor] "C:\PROGRAM FILES\COMMON FILES\STARDOCK\TRAYSERVER.EXE"
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Program Files\Trend\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] D:\Program Files\Trend\PCCPFW.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - Startup: winampa.exe.lnk = D:\Program Files\Winamp\winampa.exe
    O4 - Startup: Acrobat Assistant.lnk = ?
    O4 - Startup: Outlook.exe.lnk = D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://pcworld.idg.com.au
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O19 - User stylesheet: c:\windows\java\my.css
     
  2. BlueSpruce

    BlueSpruce

    Joined:
    Jul 24, 2003
    Messages:
    420
    Hi gary2 ,

    Please do the following ,

    Download CWShredder www.spywareinfo.com/~merijn/files/cwshredder.zip
    Close all browser windows , check the Taskbar for minimized windows as well , Run CWShredder.


    Scan Hijack This , put a check in the following entries and hit ''Fix Checked'' ,

    O2 - BHO: (no name) - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - (no file)

    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

    O19 - User stylesheet: c:\windows\java\my.css


    Shutdown & Reboot your computer

    Navigate to and Delete the following
    c:\windows\java\my.css


    Next , download and install Spybot search & destroy www.security.kolla.de Open Spybot search & destroy , Click Online , Search for updates , Download all available updates , log offline , Close all browser windows , check your taskbar for minimized windows as well , Run Spybot search & destroy , put a check in every entry Spybot search & destroy returns , Click fix problems.

    Shutdown & Reboot your computer

    Consider downloading SpywareBlaster v2.6.1 and SpywareGuard v2.2 for the prevention of both Spyware Active X installation and running , and Browser Hijacking protection in real-time http://www.wilderssecurity.net/index.html

    When your finished , Rescan Hijack This and post a new log for a follow-up review

    Good luck
     
  3. gary2

    gary2 Thread Starter

    Joined:
    Sep 23, 2003
    Messages:
    3
    Thanks for your help.

    I now have the fllowing log.

    Logfile of HijackThis v1.97.2
    Scan saved at 10:29:59 PM, on 9/23/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    D:\PROGRAM FILES\TREND\PCCIOMON.EXE
    D:\PROGRAM FILES\TREND\PCCPFW.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
    D:\PROGRAM FILES\PINNACLE\PINNACLE PCTV\REMOTE\REMOTERM.EXE
    C:\WINDOWS\RUNDLL32.EXE
    D:\PROGRAM FILES\TREND\PCCGUIDE.EXE
    D:\PROGRAM FILES\TREND\PCCCLIENT.EXE
    D:\PROGRAM FILES\TREND\POP3TRAP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    D:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [PCTVRemote] d:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
    O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
    O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "D:\Program Files\Trend\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCCClient.exe] "D:\Program Files\Trend\PCCClient.exe"
    O4 - HKLM\..\Run: [Pop3trap.exe] "D:\Program Files\Trend\Pop3trap.exe"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [1A:Stardock TrayMonitor] "C:\PROGRAM FILES\COMMON FILES\STARDOCK\TRAYSERVER.EXE"
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "D:\Program Files\Trend\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PCCPFW] D:\Program Files\Trend\PCCPFW.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - Startup: winampa.exe.lnk = D:\Program Files\Winamp\winampa.exe
    O4 - Startup: Acrobat Assistant.lnk = ?
    O4 - Startup: Outlook.exe.lnk = D:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://pcworld.idg.com.au
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab

    I am also unsure on a few other things.
    1. Was the 401 EVP warning authentic, or just some kind of hoax to get people to buy software
    2. Was my security at great vulnerability, ie. should I change my passwords etc.
    3. Should I run ZonAllarm with SpywareBlaster and SpywareGuard, or would this cause conflicts?

    Thanks
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    1. Was the 401 EVP warning authentic, or just some kind of hoax to get people to buy software

    Run your mouse over the "warning", if the pointer turns into a hand and finger, it's an ad

    2. Was my security at great vulnerability, ie. should I change my passwords etc.

    Probably not, but it never hurts to change passwords once in awhile.

    3. Should I run ZonAllarm with SpywareBlaster and SpywareGuard, or would this cause conflicts?

    In general, I would not think you would get any conflicts.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166779

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice