Browser Hijacked and Outlook is trying to send messages

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

IndyGuy

Thread Starter
Joined
Sep 24, 2003
Messages
3
Hello. I'm on a Dell XPS T600r running Windows 2000 Pro.

My problem is this: When I open IE my intended start page is being replaced with porn related sites. My Temporary Internet Files is being loaded up with porn related crap and the folder that shows Cookies is also full of porn related crap. If you delete all Temporary Internet Files and Cookies then wait just a few minutes they start coming back, even though I'm not going to these sites. It happens automatically. The browser is sitting still and the files and cookies start showing up. When I look at the "Favorites" list on the drop-down on the browser I notice that several porn links have been added as 'favorites'. Also, Outlook is attempting to send messages to "[email protected]" by itself. I'm on my computer at work so it can't hijack a modem but I've read in other posts that my computer is attempting to call some 900 number so that I get stuck with a huge telco bill. Since the messages can't be sent to "[email protected]" Outlook is saving them as 'Drafts'. The messages are being generated automatically and if I leave Outlook open they start showing up.

I've taken the advice I've read in other posts and I have downloaded and run Ad-aware, Spybot - Search and Destroy, CWShredder, HijackThis, and just for kicks, some fix for the Welchia worm. Just running Ad-aware, Spybot, and CWShredder didn't solve my problem. That's when I downloaded HijackThis. I've now run HijackThis and generated two logs. The first is the "HijackThisLog" and the second is the "StartupList" log.

I'm posting them below. Can someone please tell me what I need to check to be deleted via HijackThis for both logs? Thank you.

Here is the "HijackThisLog":

Logfile of HijackThis v1.97.2
Scan saved at 9:32:09 AM, on 9/24/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ePOAgent\naimas32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\PROGRA~1\IOMEGA~1\directcd.exe
C:\Program Files\Real\RealJukebox\tsystray.exe
C:\Program Files\ePOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\System32\ctfmon.exe
C:\winnt\removed.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Palm\hotsync.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\chollandbeck\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaveWealth
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://pornokopec.com/
O1 - Hosts: 65.77.82.162 easypic.com
O1 - Hosts: 65.77.82.162 pichunter.com
O1 - Hosts: 65.77.82.162 *****slot.com
O1 - Hosts: 65.77.82.162 sexocean.com
O1 - Hosts: 65.77.82.162 thehun.net
O1 - Hosts: 65.77.82.162 worldsex.com
O1 - Hosts: 65.77.82.162 www.easypic.com
O1 - Hosts: 65.77.82.162 www.pichunter.com
O1 - Hosts: 65.77.82.162 www.*****slot.com
O1 - Hosts: 65.77.82.162 www.sexocean.com
O1 - Hosts: 65.77.82.162 www.thehun.net
O1 - Hosts: 65.77.82.162 www.worldsex.com
O1 - Hosts: 65.77.82.162 www.pinkworld.com
O1 - Hosts: 65.77.82.162 pinkworld.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
O4 - HKLM\..\Run: [Ebonics Xmas Installer] C:\Documents and Settings\chollandbeck\Local Settings\Temporary Internet Files\Content.IE5\OPQROTUV\setupexm[1].exe
O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [removed] C:\winnt\removed.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\nutafun4.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - file://C:\Program Files\Digital Dashboard\Samples\outlctlx.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {32634F75-03FF-11D4-B346-00C04FA06E32} - http://betamirror2.lifefx.com/FaceOfTheInternet/FacemailUpgrade.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37634.3238194444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3E12F51-0795-11D2-91CC-00C04FA31C90} (MS Investor Ticker) - file://C:\Program Files\Digital Dashboard\Samples\ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F954DBB1-2BFF-440B-B9B7-8EC81EF2032A}: NameServer = 204.238.181.1,204.238.181.2


Here is the "StartupList" Log:

StartupList report, 9/24/2003, 9:33:06 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\chollandbeck\Desktop\HijackThis.EXE
Detected: Windows 2000 SP2 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ePOAgent\naimas32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\PROGRA~1\IOMEGA~1\directcd.exe
C:\Program Files\Real\RealJukebox\tsystray.exe
C:\Program Files\ePOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe
C:\WINNT\System32\ctfmon.exe
C:\winnt\removed.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Palm\hotsync.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\chollandbeck\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\chollandbeck\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Palm\hotsync.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
AtiPTA = atiptaxx.exe
RealTray = C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
Adaptec DirectCD = C:\PROGRA~1\IOMEGA~1\directcd.exe
SoDA Startup = C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
RealJukeboxSystray = "C:\Program Files\Real\RealJukebox\tsystray.exe"
Ebonics Xmas Installer = C:\Documents and Settings\chollandbeck\Local Settings\Temporary Internet Files\Content.IE5\OPQROTUV\setupexm[1].exe
NaimAgent_UI = C:\Program Files\ePOAgent\naimag32.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
RFX_auto_upgrade =
CreateCD = C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe
removed = C:\winnt\removed.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\Program Files\Network Associates\VirusScan\scrscan.exe
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\WINNT\System32\nzdd.dll - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Outlook View Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\outlctlx.dll
CODEBASE = file://C:\Program Files\Digital Dashboard\Samples\outlctlx.CAB

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

[Cult3D ActiveX Player]
InProcServer32 = C:\WINNT\System32\Cult3D\IECult.dll
CODEBASE = http://i.a.cnn.net/cnn/resources/cult3d/cult.cab

[{32634F75-03FF-11D4-B346-00C04FA06E32}]
CODEBASE = http://betamirror2.lifefx.com/FaceOfTheInternet/FacemailUpgrade.cab

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37634.3238194444

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MS Investor Ticker]
InProcServer32 = C:\WINNT\Downloaded Program Files\ticker6.ocx
CODEBASE = file://C:\Program Files\Digital Dashboard\Samples\ticker.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #12: C:\WINNT\system32\nutafun4.dll (file MISSING)
Protocol #13: C:\WINNT\system32\nutafun4.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 7,289 bytes
Report generated in 0.130 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Feb 23, 2003
Messages
16,274
Rescan with hjt and put a check next to these

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pornokopec.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaveWealth
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://pornokopec.com/
O1 - Hosts: 65.77.82.162 easypic.com
O1 - Hosts: 65.77.82.162 pichunter.com
O1 - Hosts: 65.77.82.162 *****slot.com
O1 - Hosts: 65.77.82.162 sexocean.com
O1 - Hosts: 65.77.82.162 thehun.net
O1 - Hosts: 65.77.82.162 worldsex.com
O1 - Hosts: 65.77.82.162 www.easypic.com
O1 - Hosts: 65.77.82.162 www.pichunter.com
O1 - Hosts: 65.77.82.162 www.*****slot.com
O1 - Hosts: 65.77.82.162 www.sexocean.com
O1 - Hosts: 65.77.82.162 www.thehun.net
O1 - Hosts: 65.77.82.162 www.worldsex.com
O1 - Hosts: 65.77.82.162 www.pinkworld.com
O1 - Hosts: 65.77.82.162 pinkworld.com
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O4 - HKCU\..\Run: [removed] C:\winnt\removed.exe

O4 - HKLM\..\Run: [Ebonics Xmas Installer] C:\Documents and Settings\chollandbeck\Local Settings\Temporary Internet Files\Content.IE5\OPQROTUV\setupexm[1].exe
O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\nutafun4.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{F954DBB1-2BFF-440B-B9B7-8EC81EF2032A}: NameServer = 204.238.181.1,204.238.181.2
 

IndyGuy

Thread Starter
Joined
Sep 24, 2003
Messages
3
Motherboard,

I deleted the items you said to delete via HijackThis. I posted the new log below. How does it look?

You had asked me to remove the "removed.exe". I checked for it to be removed and didn't see it in the new log but it does still live on my C drive under the WINNT folder. I tried to delete it from my C drive prior to deleting it via HijackThis and got a pop-up telling me I couldn't delete it. Something about a sharing violation or it being in use. I have no idea what "removed.exe" is but it showed up on my PC about the time all the crap hit the fan and not one other person around me has it on their PC so I'm thinking it's bad.

I ran the Spybot program after deleting the items via HijackThis and it didn't find anything. I've yet to run the LSP fix but will.

Here is the log after the items were deleted...do you see anything you'd question?

---------------------------------------------------------------------------------

Logfile of HijackThis v1.97.2
Scan saved at 11:18:12 AM, on 9/24/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ePOAgent\naimas32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\PROGRA~1\IOMEGA~1\directcd.exe
C:\Program Files\Real\RealJukebox\tsystray.exe
C:\Program Files\ePOAgent\naimag32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\System32\ctfmon.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Palm\hotsync.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\chollandbeck\Desktop\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePOAgent\naimag32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - file://C:\Program Files\Digital Dashboard\Samples\outlctlx.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37634.3238194444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D3E12F51-0795-11D2-91CC-00C04FA31C90} (MS Investor Ticker) - file://C:\Program Files\Digital Dashboard\Samples\ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F954DBB1-2BFF-440B-B9B7-8EC81EF2032A}: NameServer = 204.238.181.1,204.238.181.2
 
Joined
Feb 23, 2003
Messages
16,274
Looks better and as for the removed .exe, try the same process in safe mode and you should be able to get rid of it..
 

IndyGuy

Thread Starter
Joined
Sep 24, 2003
Messages
3
Motherboard,

Thanks for the help. I was able to delete the "removed.exe" from my C drive now that I've deleted all the items you said to delete via HijackThis.


My Outlook appears to have stopped trying to automatically send messages to "[email protected]" as well.

My Cookies folder isn't automatically loading up with porn crap and neither is my Temporary Internet Files folder. Lastly, my Favorites drop-down isn't getting automatically loaded up with porn links.

I just might be out of the woods. Thank you very much.

-Chris
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top