1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Browser Hijacked and Outlook is trying to send messages

Discussion in 'Virus & Other Malware Removal' started by IndyGuy, Sep 24, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. IndyGuy

    IndyGuy Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    3
    Hello. I'm on a Dell XPS T600r running Windows 2000 Pro.

    My problem is this: When I open IE my intended start page is being replaced with porn related sites. My Temporary Internet Files is being loaded up with porn related crap and the folder that shows Cookies is also full of porn related crap. If you delete all Temporary Internet Files and Cookies then wait just a few minutes they start coming back, even though I'm not going to these sites. It happens automatically. The browser is sitting still and the files and cookies start showing up. When I look at the "Favorites" list on the drop-down on the browser I notice that several porn links have been added as 'favorites'. Also, Outlook is attempting to send messages to "[email protected]" by itself. I'm on my computer at work so it can't hijack a modem but I've read in other posts that my computer is attempting to call some 900 number so that I get stuck with a huge telco bill. Since the messages can't be sent to "[email protected]" Outlook is saving them as 'Drafts'. The messages are being generated automatically and if I leave Outlook open they start showing up.

    I've taken the advice I've read in other posts and I have downloaded and run Ad-aware, Spybot - Search and Destroy, CWShredder, HijackThis, and just for kicks, some fix for the Welchia worm. Just running Ad-aware, Spybot, and CWShredder didn't solve my problem. That's when I downloaded HijackThis. I've now run HijackThis and generated two logs. The first is the "HijackThisLog" and the second is the "StartupList" log.

    I'm posting them below. Can someone please tell me what I need to check to be deleted via HijackThis for both logs? Thank you.

    Here is the "HijackThisLog":

    Logfile of HijackThis v1.97.2
    Scan saved at 9:32:09 AM, on 9/24/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ePOAgent\naimas32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\atiptaxx.exe
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\PROGRA~1\IOMEGA~1\directcd.exe
    C:\Program Files\Real\RealJukebox\tsystray.exe
    C:\Program Files\ePOAgent\naimag32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe
    C:\WINNT\System32\ctfmon.exe
    C:\winnt\removed.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\Palm\hotsync.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\chollandbeck\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaveWealth
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://pornokopec.com/
    O1 - Hosts: 65.77.82.162 easypic.com
    O1 - Hosts: 65.77.82.162 pichunter.com
    O1 - Hosts: 65.77.82.162 *****slot.com
    O1 - Hosts: 65.77.82.162 sexocean.com
    O1 - Hosts: 65.77.82.162 thehun.net
    O1 - Hosts: 65.77.82.162 worldsex.com
    O1 - Hosts: 65.77.82.162 www.easypic.com
    O1 - Hosts: 65.77.82.162 www.pichunter.com
    O1 - Hosts: 65.77.82.162 www.*****slot.com
    O1 - Hosts: 65.77.82.162 www.sexocean.com
    O1 - Hosts: 65.77.82.162 www.thehun.net
    O1 - Hosts: 65.77.82.162 www.worldsex.com
    O1 - Hosts: 65.77.82.162 www.pinkworld.com
    O1 - Hosts: 65.77.82.162 pinkworld.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
    O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
    O4 - HKLM\..\Run: [Ebonics Xmas Installer] C:\Documents and Settings\chollandbeck\Local Settings\Temporary Internet Files\Content.IE5\OPQROTUV\setupexm[1].exe
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePOAgent\naimag32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [removed] C:\winnt\removed.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\nutafun4.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - file://C:\Program Files\Digital Dashboard\Samples\outlctlx.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {32634F75-03FF-11D4-B346-00C04FA06E32} - http://betamirror2.lifefx.com/FaceOfTheInternet/FacemailUpgrade.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37634.3238194444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D3E12F51-0795-11D2-91CC-00C04FA31C90} (MS Investor Ticker) - file://C:\Program Files\Digital Dashboard\Samples\ticker.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F954DBB1-2BFF-440B-B9B7-8EC81EF2032A}: NameServer = 204.238.181.1,204.238.181.2


    Here is the "StartupList" Log:

    StartupList report, 9/24/2003, 9:33:06 AM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\chollandbeck\Desktop\HijackThis.EXE
    Detected: Windows 2000 SP2 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ePOAgent\naimas32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\atiptaxx.exe
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\PROGRA~1\IOMEGA~1\directcd.exe
    C:\Program Files\Real\RealJukebox\tsystray.exe
    C:\Program Files\ePOAgent\naimag32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe
    C:\WINNT\System32\ctfmon.exe
    C:\winnt\removed.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\Palm\hotsync.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\chollandbeck\Desktop\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\chollandbeck\Start Menu\Programs\Startup]
    HotSync Manager.lnk = C:\Palm\hotsync.exe

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    AtiPTA = atiptaxx.exe
    RealTray = C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    Adaptec DirectCD = C:\PROGRA~1\IOMEGA~1\directcd.exe
    SoDA Startup = C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
    RealJukeboxSystray = "C:\Program Files\Real\RealJukebox\tsystray.exe"
    Ebonics Xmas Installer = C:\Documents and Settings\chollandbeck\Local Settings\Temporary Internet Files\Content.IE5\OPQROTUV\setupexm[1].exe
    NaimAgent_UI = C:\Program Files\ePOAgent\naimag32.exe
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    CreateCD50 = "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    RFX_auto_upgrade =
    CreateCD = C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    ctfmon.exe = ctfmon.exe
    removed = C:\winnt\removed.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\Program Files\Network Associates\VirusScan\scrscan.exe
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
    (no name) - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    (no name) - C:\WINNT\System32\nzdd.dll - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft Outlook View Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\outlctlx.dll
    CODEBASE = file://C:\Program Files\Digital Dashboard\Samples\outlctlx.CAB

    [QuickTime Object]
    InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

    [Cult3D ActiveX Player]
    InProcServer32 = C:\WINNT\System32\Cult3D\IECult.dll
    CODEBASE = http://i.a.cnn.net/cnn/resources/cult3d/cult.cab

    [{32634F75-03FF-11D4-B346-00C04FA06E32}]
    CODEBASE = http://betamirror2.lifefx.com/FaceOfTheInternet/FacemailUpgrade.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINNT\System32\opuc.dll
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

    [{6CB5E471-C305-11D3-99A8-000086395495}]
    CODEBASE = http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37634.3238194444

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [MS Investor Ticker]
    InProcServer32 = C:\WINNT\Downloaded Program Files\ticker6.ocx
    CODEBASE = file://C:\Program Files\Digital Dashboard\Samples\ticker.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #12: C:\WINNT\system32\nutafun4.dll (file MISSING)
    Protocol #13: C:\WINNT\system32\nutafun4.dll (file MISSING)

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 7,289 bytes
    Report generated in 0.130 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Rescan with hjt and put a check next to these

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pornokopec.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaveWealth
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://pornokopec.com/
    O1 - Hosts: 65.77.82.162 easypic.com
    O1 - Hosts: 65.77.82.162 pichunter.com
    O1 - Hosts: 65.77.82.162 *****slot.com
    O1 - Hosts: 65.77.82.162 sexocean.com
    O1 - Hosts: 65.77.82.162 thehun.net
    O1 - Hosts: 65.77.82.162 worldsex.com
    O1 - Hosts: 65.77.82.162 www.easypic.com
    O1 - Hosts: 65.77.82.162 www.pichunter.com
    O1 - Hosts: 65.77.82.162 www.*****slot.com
    O1 - Hosts: 65.77.82.162 www.sexocean.com
    O1 - Hosts: 65.77.82.162 www.thehun.net
    O1 - Hosts: 65.77.82.162 www.worldsex.com
    O1 - Hosts: 65.77.82.162 www.pinkworld.com
    O1 - Hosts: 65.77.82.162 pinkworld.com
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINNT\System32\nzdd.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKCU\..\Run: [removed] C:\winnt\removed.exe

    O4 - HKLM\..\Run: [Ebonics Xmas Installer] C:\Documents and Settings\chollandbeck\Local Settings\Temporary Internet Files\Content.IE5\OPQROTUV\setupexm[1].exe
    O10 - Broken Internet access because of LSP provider 'c:\winnt\system32\nutafun4.dll' missing
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F954DBB1-2BFF-440B-B9B7-8EC81EF2032A}: NameServer = 204.238.181.1,204.238.181.2
     
  3. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
  4. IndyGuy

    IndyGuy Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    3
    Motherboard,

    I deleted the items you said to delete via HijackThis. I posted the new log below. How does it look?

    You had asked me to remove the "removed.exe". I checked for it to be removed and didn't see it in the new log but it does still live on my C drive under the WINNT folder. I tried to delete it from my C drive prior to deleting it via HijackThis and got a pop-up telling me I couldn't delete it. Something about a sharing violation or it being in use. I have no idea what "removed.exe" is but it showed up on my PC about the time all the crap hit the fan and not one other person around me has it on their PC so I'm thinking it's bad.

    I ran the Spybot program after deleting the items via HijackThis and it didn't find anything. I've yet to run the LSP fix but will.

    Here is the log after the items were deleted...do you see anything you'd question?

    ---------------------------------------------------------------------------------

    Logfile of HijackThis v1.97.2
    Scan saved at 11:18:12 AM, on 9/24/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ePOAgent\naimas32.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\Network Associates\VirusScan\VsStat.exe
    C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\Webscanx.exe
    C:\Program Files\Network Associates\VirusScan\Avconsol.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\atiptaxx.exe
    C:\Program Files\Real\RealPlayer\realplay.exe
    C:\PROGRA~1\IOMEGA~1\directcd.exe
    C:\Program Files\Real\RealJukebox\tsystray.exe
    C:\Program Files\ePOAgent\naimag32.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINNT\System32\ctfmon.exe
    C:\MSSQL7\Binn\sqlmangr.exe
    C:\Palm\hotsync.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\chollandbeck\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\IOMEGA~1\directcd.exe
    O4 - HKLM\..\Run: [SoDA Startup] C:\Program Files\Rational\SoDAWord\Wizards\SodaStartup.exe StartUp
    O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\Program Files\Real\RealJukebox\tsystray.exe"
    O4 - HKLM\..\Run: [NaimAgent_UI] C:\Program Files\ePOAgent\naimag32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\IOMEGA~1\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - file://C:\Program Files\Digital Dashboard\Samples\outlctlx.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.48-deleon/GoogleNav.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37634.3238194444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {D3E12F51-0795-11D2-91CC-00C04FA31C90} (MS Investor Ticker) - file://C:\Program Files\Digital Dashboard\Samples\ticker.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F954DBB1-2BFF-440B-B9B7-8EC81EF2032A}: NameServer = 204.238.181.1,204.238.181.2
     
  5. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Looks better and as for the removed .exe, try the same process in safe mode and you should be able to get rid of it..
     
  6. IndyGuy

    IndyGuy Thread Starter

    Joined:
    Sep 24, 2003
    Messages:
    3
    Motherboard,

    Thanks for the help. I was able to delete the "removed.exe" from my C drive now that I've deleted all the items you said to delete via HijackThis.


    My Outlook appears to have stopped trying to automatically send messages to "[email protected]" as well.

    My Cookies folder isn't automatically loading up with porn crap and neither is my Temporary Internet Files folder. Lastly, my Favorites drop-down isn't getting automatically loaded up with porn links.

    I just might be out of the woods. Thank you very much.

    -Chris
     
  7. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    You're welcome and post back if anything else pops up..
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167074

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice