1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help with xrenoder please!!!

Discussion in 'Virus & Other Malware Removal' started by Heather Jack, Sep 11, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Heather Jack

    Heather Jack Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    11
    Here's mylog file. I would greatly appreciate it if someone could help me with this. I have been working on the problem all morning. Thanks so much =)

    Logfile of HijackThis v1.97.1
    Scan saved at 9:49:33 AM, on 9/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
    C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
    C:\TOSHIBA\IVP\ISM\PINGER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\2WIRE\HOMEPORTAL\2PORTALMON.EXE
    C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
    C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129193
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.freehqmovies.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/toshiba/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = toshiba.my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\WINDOWS\SYSTEM\COMET\BIN\CSBHO.DLL (file missing)
    O2 - BHO: (no name) - {27A5FF76-9919-492C-98E3-EDA3502FC829} - C:\WINDOWS\SYSTEM\ML_32.DLL
    O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL (file missing)
    O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CC2KUI] C:\WINDOWS\SYSTEM\Comet\Bin\comet.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\HOMEPORTAL\2PORTALMON.EXE
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\Lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\LwEmon.exe /noui"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [5-1-25-538] c:\windows\5-1-25-538.exe -m
    O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://193.125.201.50/?trk=
    O14 - IERESET.INF: START_PAGE_URL=toshiba.my.yahoo.com
    O16 - DPF: {B3AA2F6B-6BAF-11D3-BA05-00C0F0322972} - http://209.132.192.13/pcpop2/download/Uncensored_Sex.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab
    O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth/internetwasherpro.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.535462963
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  3. Heather Jack

    Heather Jack Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    11
    Thank you so much for your quick reply.

    I just tried to scan with rapidblaster killer and got the message "no rapid blaster processes detected" What should I do now?

    Here's an updated scan. Again, thank you so much for your help!!

    Logfile of HijackThis v1.97.1
    Scan saved at 10:43:39 AM, on 9/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
    C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
    C:\TOSHIBA\IVP\ISM\PINGER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\2WIRE\HOMEPORTAL\2PORTALMON.EXE
    C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
    C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://sharempeg.com/find/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=129193
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.freehqmovies.com/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/toshiba/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = toshiba.my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\WINDOWS\SYSTEM\COMET\BIN\CSBHO.DLL (file missing)
    O2 - BHO: (no name) - {27A5FF76-9919-492C-98E3-EDA3502FC829} - C:\WINDOWS\SYSTEM\ML_32.DLL
    O2 - BHO: SmartPops - {D5C778F1-CF13-4E70-ADF0-45A953E7CB8B} - C:\PROGRAM FILES\NETWORK ESSENTIALS\V11\NE.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL (file missing)
    O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CC2KUI] C:\WINDOWS\SYSTEM\Comet\Bin\comet.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\HOMEPORTAL\2PORTALMON.EXE
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\Lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\LwEmon.exe /noui"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [5-1-25-538] c:\windows\5-1-25-538.exe -m
    O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O13 - DefaultPrefix: http://193.125.201.50/?trk=
    O14 - IERESET.INF: START_PAGE_URL=toshiba.my.yahoo.com
    O16 - DPF: {B3AA2F6B-6BAF-11D3-BA05-00C0F0322972} - http://209.132.192.13/pcpop2/download/Uncensored_Sex.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab
    O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://64.156.188.99/iwasher/pptproactauth/internetwasherpro.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.535462963
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
     
  4. Heather Jack

    Heather Jack Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    11
    I just removed rb32 from my add/remove file. Hopefully this got rid of that. It said the program had already been uninstalled.
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    well i see rapidblaster there,possibly a leftover.
    anyway...lets do the manual thing:)

    run hijackthis again and put a checkmark against these entries....
    .....then,close all browser and outlook windows and "fix checked"

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=129193
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.freehqmovies.com/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-2003.com/
    O1 - Hosts: 193.125.201.50 msn.com
    O1 - Hosts: 193.125.201.50 search.msn.com
    O1 - Hosts: 193.125.201.50 auto.search.msn.com
    O1 - Hosts: 193.125.201.50 ie.search.msn.com
    O1 - Hosts: 193.125.201.46 thehun.net
    O1 - Hosts: 193.125.201.46 www.thehun.net
    O1 - Hosts: 193.125.201.46 thehun.com
    O1 - Hosts: 193.125.201.46 www.thehun.com
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\WINDOWS\SYSTEM\COMET\BIN\CSBHO.DLL (file missing)
    O2 - BHO: (no name) - {27A5FF76-9919-492C-98E3-EDA3502FC829} - C:\WINDOWS\SYSTEM\ML_32.DLL
    O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
    O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL (file missing)
    O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
    O4 - HKLM\..\Run: [CC2KUI] C:\WINDOWS\SYSTEM\Comet\Bin\comet.exe
    O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
    O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
    O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [winmain] winmain.exe
    O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
    O13 - DefaultPrefix: http://193.125.201.50/?trk=
    O16 - DPF: {B3AA2F6B-6BAF-11D3-BA05-00C0F0322972} - http://209.132.192.13/pcpop2/downlo...ensored_Sex.exe
    O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab
    O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.getweathercast.com/WeatherAutoCAST0014.cab
    O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab

    re-boot into safe mode(by tapping the f8 key as windows boots up)
    and delete:
    C:\WINDOWS\SYSTEM\NZDD.DLL
    C:\WINDOWS\SYSTEM\COMET [FOLDER]
    C:\WINDOWS\SYSTEM\ML_32.DLL
    C:\PROGRAM FILES\ISTBAR [FOLDER]
    C:\PROGRAM FILES\ISTBAR [FOLDER]
    C:\Program Files\SwimSuitNetwork [FOLDER]
    C:\Program Files\DownloadWare [FOLDER]
    c:\program files\rb32 FOLDER]
    C:\Program Files\ISTsvc FOLDER]
    C:\WINDOWS\SYSTEM32\WINMAIN.EXE

    after that:
    Spybot Search & Destroy http://beam.to/spybotsd

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows...... hit 'Check for Problems', and have SpyBot remove/fix all it finds.

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanx;)
     
  6. Heather Jack

    Heather Jack Thread Starter

    Joined:
    Sep 11, 2003
    Messages:
    11
    I cannot thank you enough for all your help!!! I have not encountered xrenoder so far...yea!!

    Here is my hijackthis log...hopefully we got it all.

    Again thank you so much. How can I prevent this from happening again?

    Sincerely,
    Heather

    Logfile of HijackThis v1.97.1
    Scan saved at 12:53:55 PM, on 9/11/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATI2PLXX.EXE
    C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
    C:\TOSHIBA\IVP\ISM\PINGER.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\2WIRE\HOMEPORTAL\2PORTALMON.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = htt://start.earthlink.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/toshiba/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = toshiba.my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com/p/toshiba/?http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.espn.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
    O4 - HKLM\..\Run: [Pinger] C:\TOSHIBA\IVP\ISM\pinger.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\HOMEPORTAL\2PORTALMON.EXE
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2plxx.exe
    O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\Lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\LwEmon.exe /noui"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [5-1-25-538] c:\windows\5-1-25-538.exe -m
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
    O4 - Startup: Billminder.lnk = C:\QUICKENW\billmind.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=toshiba.my.yahoo.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.535462963
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    two programs for you to download.
    from this site.
    http://www.javacoolsoftware.com/spywareblaster.html

    "spywareguard" and "spywareblaster"

    they will help enormously in keeping spy/adware off your computer.
    keep it updated,[about every 2 or 3 weeks]

    also..i didnt notice a firewall running.

    www.zonelabs.com "zonealarm" is the best free firewall and an absolute must have program.

    take care.
    ;)
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    and.......yes...........we got it all:D
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164009

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice