1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijackthis log; which to check?

Discussion in 'Virus & Other Malware Removal' started by guruji, Sep 12, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. guruji

    guruji Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    17
    I would appreciate help in what to check. Thanks

    Logfile of HijackThis v1.97.2
    Scan saved at 1:14:51 AM, on 9/12/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ACCESSORIES\POP-UP STOPPER\DPPS2.EXE
    C:\PROGRAM FILES\ONLINE SERVICES\APVXDWIN.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\BQTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\COMCTL_32.EXE
    C:\PROGRAM FILES\GLOBALDIALER\TONEX00052\981067.EXE
    C:\PROGRAM FILES\ACCESSORIES\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\ACCESSORIES\TWEAK OS\PCACCEL.EXE
    C:\PROGRAM FILES\ONLINE SERVICES\PAVPROXY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\OPERA\OPERA.EXE
    C:\PROGRAM FILES\ACCESSORIES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.hotsearchbox.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.xxxtoolbar.com/ist/scripts/homepages_manager.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.coolwwwsearch.com/z/a/x1.cgi?656387 (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwsearch.com/z/b/x1.cgi?656387 (obfuscated)
    R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\SYSTEM\ASTCTL32.OCX
    F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\msinfo.exe
    O1 - Hosts: 207.199.1.105 www.gamespy.com
    O1 - Hosts: 206.132.131.50 www.gamespot.com
    O1 - Hosts: 216.247.236.68 www.tweakfiles.com
    O1 - Hosts: 65.192.216.110 www.tweak3d.net
    O1 - Hosts: 205.252.89.157 www.deskmod.com
    O1 - Hosts: 64.28.67.150 www.slashdot.org
    O1 - Hosts: 207.199.1.103 www.planetquake.com
    O1 - Hosts: 216.247.236.67 www.3dfiles.com
    O1 - Hosts: 207.115.70.83 www.3dspotlight.net
    O1 - Hosts: 12.108.162.119 www.penny-arcade.com
    O1 - Hosts: 209.207.250.33 www.somethingawful.com
    O1 - Hosts: 207.0.114.195 www.tabworldonline.com
    O1 - Hosts: 63.214.181.69 www.tweaktown.com
    O1 - Hosts: 205.181.128.80 www.geek.com
    O1 - Hosts: 199.105.102.131 www.happypuppy.com
    O1 - Hosts: 205.229.72.80 www.hothardware.com
    O1 - Hosts: 61.8.3.18 www.insanehardware.com
    O1 - Hosts: 216.34.72.161 www.millisec.com
    O1 - Hosts: 209.249.33.4 www.msicomputer.com
    O1 - Hosts: 208.249.124.215 www.overclockers.com
    O1 - Hosts: 213.207.14.141 zoiah.m3dzone.com
    O1 - Hosts: 63.67.239.189 tdg.vintagegaming.com
    O1 - Hosts: 207.153.207.173 www.tech-junkie.com
    O1 - Hosts: 209.68.32.183 www.storagereview.com
    O1 - Hosts: 209.197.121.2 www.tomshardware.com
    O1 - Hosts: 209.247.194.100 babelfish.altavista.digital.com
    O1 - Hosts: 206.204.212.2 www.symantec.com
    O1 - Hosts: 209.68.58.104 motherboards.org
    O1 - Hosts: 192.18.97.241 www.sun.com
    O1 - Hosts: 216.62.153.3 www.pinkmonkey.com
    O1 - Hosts: 159.33.1.85 cbc.ca
    O1 - Hosts: 166.70.10.23 www.computerhope.com
    O1 - Hosts: 198.235.69.50 www.expressvu.com
    O1 - Hosts: 208.47.252.43 www.bootdisk.com
    O1 - Hosts: 137.82.195.9 careerowl.ca
    O1 - Hosts: 209.66.74.94 www.techbargains.com
    O1 - Hosts: 206.47.148.163 www.pccanada.com
    O1 - Hosts: 206.161.202.96 www.skinz.org
    O1 - Hosts: 208.228.126.53 www.express.com
    O1 - Hosts: 207.168.8.2 www.onsale.com
    O1 - Hosts: 207.168.8.2 www.egghead.com
    O1 - Hosts: 216.241.100.190 www.computersurplusoutlet.com
    O1 - Hosts: 209.67.181.21 www.buy.com
    O1 - Hosts: 206.253.222.67 www.2cooltek.com
    O1 - Hosts: 206.132.163.111 www.nbc.com
    O1 - Hosts: 209.116.0.210 www.litestep.net
    O1 - Hosts: 216.33.41.60 www.fox.com
    O1 - Hosts: 63.226.107.3 www.darkstep.com
    O1 - Hosts: 193.125.199.4 www.icqplus.org
    O1 - Hosts: 208.51.196.21 www.customize.org
    O1 - Hosts: 63.227.17.77 www.cognitivedistortion.com
    O1 - Hosts: 63.249.168.192 www.graphicsdesign.org
    O1 - Hosts: 64.225.121.225 www.designsbymark.com
    O1 - Hosts: 207.228.228.14 www.98lite.net
    O1 - Hosts: 195.97.246.136 www.1001icqskins.com
    O1 - Hosts: 209.10.46.171 www.diamondmm.com
    O1 - Hosts: 64.41.230.253 www.creative.com
    O1 - Hosts: 64.41.230.253 www.soundblaster.com
    O1 - Hosts: 209.249.164.210 gxs.n3.net
    O1 - Hosts: 209.137.157.25 www.canon.com
    O1 - Hosts: 192.151.52.13 www.hp.com
    O1 - Hosts: 216.18.6.150 www.chalk.com
    O1 - Hosts: 208.185.239.10 sdnews.net
    O1 - Hosts: 216.49.88.12 www.mcafee.com
    O1 - Hosts: 206.96.221.169 www.hardocp.com
    O1 - Hosts: 216.151.100.102 www.anandtech.com
    O1 - Hosts: 216.15.188.70 www.3dgpu.com
    O1 - Hosts: 204.180.41.10 www.reactorcritical.com
    O1 - Hosts: 207.153.102.7 www.3dchipset.com
    O1 - Hosts: 212.35.226.50 www.eurogamer.net
    O1 - Hosts: 128.11.45.131 www.hotfiles.com
    O1 - Hosts: 64.4.43.7 www.hotmail.com
    O1 - Hosts: 216.105.162.18 www.voodooextreme.com
    O1 - Hosts: 64.124.237.148 www.download.com
    O1 - Hosts: 216.200.247.132 www.cnet.com
    O1 - Hosts: 205.181.112.65 www.zdnet.com
    O1 - Hosts: 209.73.164.92 www.altavista.com
    O1 - Hosts: 216.239.33.100 www.google.com
    O1 - Hosts: 206.253.217.38 www.metacrawler.com
    O1 - Hosts: 216.35.123.102 www.ignpc.com
    O1 - Hosts: 143.166.82.178 www.dell.com
    O1 - Hosts: 216.247.236.67 www.3dfiles.com
    O1 - Hosts: 209.87.55.145 www.a-power.com
    O1 - Hosts: 64.23.13.53 www.reliz.ru
    O1 - Hosts: 216.165.161.17 www.theonion.com
    O1 - Hosts: 216.35.123.107 www.ign.com
    O1 - Hosts: 204.146.81.99 www.ibm.com
    O1 - Hosts: 205.214.169.2 www.acerlabs.com
    O1 - Hosts: 216.200.159.128 www.asus.com
    O1 - Hosts: 192.216.191.42 www.acer.com
    O1 - Hosts: 140.174.105.248 www.nvidia.com
    O1 - Hosts: 204.50.136.43 www.matrox.com
    O1 - Hosts: 166.90.143.6 www.3dfx.com
    O1 - Hosts: 207.167.207.71 www.ati.com
    O1 - Hosts: 63.170.89.212 www.abit.com
    O1 - Hosts: 216.200.57.12 www.firingsquad.com
    O1 - Hosts: 216.74.72.88 www.uniballcentral.com
    O1 - Hosts: 208.185.239.10 sdn.fgnetwork.com
    O1 - Hosts: 192.41.18.142 www.savagenews.com
    O1 - Hosts: 62.144.156.73 www.paraknowya.de
    O1 - Hosts: 63.170.89.212 www.motherboards.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ACCESSORIES\COMMON\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ONLINE~1\SPYBOT~1.1\SDHELPER.DLL
    O2 - BHO: clitor - {1E1B2879-88FF-11D2-8D96-123457123457} - C:\WINDOWS\EXPLORER.DLL
    O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [KeyMaestro] C:\PROGRAM FILES\ACCESSORIES\KMaestro.exe
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\ACCESSORIES\POP-UP STOPPER\DPPS2.EXE"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Online Services\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [VB_run] C:\WINDOWS\comctl_32.exe
    O4 - HKLM\..\Run: [keymgrldr] rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - HKCU\..\Run: [sws.exe] c:\program files\GlobalDialer\tonex00052\981067.EXE -remove
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\ONLINE SERVICES\SPYBOT - SEARCH & DESTROY 1.1\SPYBOTSD.EXE" /autocheck
    O4 - Startup: pcaccel.lnk = C:\Program Files\Accessories\Tweak OS\pcaccel.exe
    O4 - User Startup: pcaccel.lnk = C:\Program Files\Accessories\Tweak OS\pcaccel.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Accessories\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\SYSTEM\MetaProducts\Add_Url.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
    O15 - Trusted Zone: *.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/23858787283c18569b05/netzip/RdxIE.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll
    O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://help-data.excite.com/help/images/ra/tgrc.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} (plug Class) - http://dist02.chargitdial.com/chargitplug.dll
    O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/DHTMLAccess1040.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37710.4176273148
    O16 - DPF: {26FD5192-A97C-4B48-A5D7-2420CFDCFDF2} (Loader Class) - http://new.tnc4u.com/MCInst.cab
    O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialer.cab
    O16 - DPF: {38545C2A-03CD-42C3-BC62-C537A6D5A8F6} (38545C2A-03CD-42C3-BC62-C537A6D5A8F6) - http://download.globaldialer.net/GlobalDialer.cab
    O19 - User stylesheet: C:\WINDOWS\default.css
     
  2. Topkat

    Topkat

    Joined:
    Aug 10, 2003
    Messages:
    401
    First download CoolWebShredder (CWS) from here:
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip
    Please make certain that all browser and folder windows are closed before using CWShredder.

    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?...p;page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks.
    On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

    IMPORTANT!: Alwayds check for updated detections and referencefiles before scanning with Spybot and Adaware.

    If there's a problem after all this, post another log(in fact post one just to be sure).
     
  3. guruji

    guruji Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    17
    Thank you. I did most of the steps you told me to do. I could not get the SpyWareBlaster at the site you gave me, the site would not open. Where can I get that program?
    guruji
     
  4. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    Try this link.
    Go to http://security.kolla.de/index.php?...n&page=download and down load SpyBot. Once Spybot is installed click on 'Online' and download the latest updates.

    After you have run the porgrams That Topkat suggested, run HJT again and post a fresh log.

    Thanks
     
  5. qpqpzmzm

    qpqpzmzm

    Joined:
    Sep 18, 2003
    Messages:
    202
    I have tried everything suggested and yet the pop ups keep coming back. Here are my logs...hope someone can help!

    Logfile of HijackThis v1.97.2
    Scan saved at 12:54:19 PM, on 9/18/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\System32\Promon.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\System32\TPWRTRAY.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\AStart.exe
    C:\WINNT\system32\service.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.icefloe.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll
    O2 - BHO: (no name) - {490E1008-C4C9-4AC7-ADFE-B7C62796C157} - C:\WINNT\System32\lmoluse16.dll
    O2 - BHO: (no name) - {6 - (no file)
    O2 - BHO: (no name) - {65 - (no file)
    O2 - BHO: (no name) - {65C - (no file)
    O2 - BHO: (no name) - {65C8 - (no file)
    O2 - BHO: (no name) - {65C8C - (no file)
    O2 - BHO: (no name) - {65C8C1 - (no file)
    O2 - BHO: (no name) - {65C8C1F - (no file)
    O2 - BHO: (no name) - {65C8C1F5 - (no file)
    O2 - BHO: (no name) - {65C8C1F5- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-2 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4D - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F315 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINNT\bs3.dll
    O2 - BHO: (no name) - {BD - (no file)
    O2 - BHO: (no name) - {BDF - (no file)
    O2 - BHO: (no name) - {BDF3 - (no file)
    O2 - BHO: (no name) - {BDF3E - (no file)
    O2 - BHO: (no name) - {BDF3E4 - (no file)
    O2 - BHO: (no name) - {BDF3E43 - (no file)
    O2 - BHO: (no name) - {BDF3E430 - (no file)
    O2 - BHO: (no name) - {BDF3E430- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B - (no file)
    O2 - BHO: (no name) - {BDF3E430-B1 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B10 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-4 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42A - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A5 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A54 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-F - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FA - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FAD - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872 - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDF01018-5054-4B3F-B6B7-C51DDCD06827} - C:\WINNT\System32\kqbdbe.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AStart] C:\WINNT\system32\AStart
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2954d3321677fc8a0820/netzip/RdxIE601.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37628.3970138889
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    ***********************************

    StartupList report, 9/18/2003, 12:58:12 PM
    StartupList version: 1.52
    Started from : C:\unzipped\hijackthis[1]\HijackThis.EXE
    Detected: Windows 2000 SP3 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\System32\Promon.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\System32\TPWRTRAY.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINNT\system32\AStart.exe
    C:\WINNT\system32\service.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\System32\wuauclt.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Promon.exe = Promon.exe
    Synchronization Manager = mobsync.exe /logon
    EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    Tpwrtray = TPWRTRAY.EXE
    TMESRV.EXE = C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
    ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    AStart = C:\WINNT\system32\AStart

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    SymTray - Norton SystemWorks = C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    PopUpStopperFreeEdition = "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

    --------------------------------------------------

    Shell & screensaver key from C:\WINNT\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=(NONE)
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\BHO.dll - {269B6797-664E-48AA-B283-B012BDF6E525}
    (no name) - C:\WINNT\System32\lmoluse16.dll - {490E1008-C4C9-4AC7-ADFE-B7C62796C157}
    (no name) - (no file) - {6
    (no name) - (no file) - {65
    (no name) - (no file) - {65C
    (no name) - (no file) - {65C8
    (no name) - (no file) - {65C8C
    (no name) - (no file) - {65C8C1
    (no name) - (no file) - {65C8C1F
    (no name) - (no file) - {65C8C1F5
    (no name) - (no file) - {65C8C1F5-
    (no name) - (no file) - {65C8C1F5-2
    (no name) - (no file) - {65C8C1F5-23
    (no name) - (no file) - {65C8C1F5-230
    (no name) - (no file) - {65C8C1F5-230E
    (no name) - (no file) - {65C8C1F5-230E-
    (no name) - (no file) - {65C8C1F5-230E-4
    (no name) - (no file) - {65C8C1F5-230E-4D
    (no name) - (no file) - {65C8C1F5-230E-4DC
    (no name) - (no file) - {65C8C1F5-230E-4DC9
    (no name) - (no file) - {65C8C1F5-230E-4DC9-
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F31
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F315
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3159
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3159A
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3159A5
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77
    (no name) - (no file) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777
    (no name) - C:\WINNT\bs3.dll - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F}
    (no name) - (no file) - {BD
    (no name) - (no file) - {BDF
    (no name) - (no file) - {BDF3
    (no name) - (no file) - {BDF3E
    (no name) - (no file) - {BDF3E4
    (no name) - (no file) - {BDF3E43
    (no name) - (no file) - {BDF3E430
    (no name) - (no file) - {BDF3E430-
    (no name) - (no file) - {BDF3E430-B
    (no name) - (no file) - {BDF3E430-B1
    (no name) - (no file) - {BDF3E430-B10
    (no name) - (no file) - {BDF3E430-B101
    (no name) - (no file) - {BDF3E430-B101-
    (no name) - (no file) - {BDF3E430-B101-4
    (no name) - (no file) - {BDF3E430-B101-42
    (no name) - (no file) - {BDF3E430-B101-42A
    (no name) - (no file) - {BDF3E430-B101-42AD
    (no name) - (no file) - {BDF3E430-B101-42AD-
    (no name) - (no file) - {BDF3E430-B101-42AD-A
    (no name) - (no file) - {BDF3E430-B101-42AD-A5
    (no name) - (no file) - {BDF3E430-B101-42AD-A54
    (no name) - (no file) - {BDF3E430-B101-42AD-A544
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-F
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FA
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FAD
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B0
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B08
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B084
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B0848
    (no name) - (no file) - {BDF3E430-B101-42AD-A544-FADC6B084872
    NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
    (no name) - C:\WINNT\System32\kqbdbe.dll - {FDF01018-5054-4B3F-B6B7-C51DDCD06827}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Norton SystemWorks One Button Checkup.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://active.macromedia.com/director/cabs/sw.cab

    [Cult3D ActiveX Player]
    InProcServer32 = C:\WINNT\System32\Cult3D\IECult.dll
    CODEBASE = http://i.a.cnn.net/cnn/resources/cult3d/cult.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

    [{556DDE35-E955-11D0-A707-000000521957}]
    CODEBASE = http://www.xblock.com/download/xclean_micro.exe

    [RdxIE Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\RdxIE.dll
    CODEBASE = http://207.188.7.150/2954d3321677fc8a0820/netzip/RdxIE601.cab

    [OPUCatalog Class]
    InProcServer32 = C:\WINNT\System32\opuc.dll
    CODEBASE = http://office.microsoft.com/productupdates/content/opuc.cab

    [CCMPGui Class]
    InProcServer32 = C:\WINNT\System32\ccmp392.dll
    CODEBASE = http://64.124.45.181/chaincast/proxy/CCMP.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37628.3970138889

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
    WebCheck: C:\WINNT\System32\webcheck.dll
    SysTray: stobject.dll

    --------------------------------------------------
    End of report, 10,361 bytes
    Report generated in 0.340 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    qpqpzmzm

    Welcome to TSG!

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank

    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.dll

    O2 - BHO: (no name) - {490E1008-C4C9-4AC7-ADFE-B7C62796C157} - C:\WINNT\System32\lmoluse16.dll

    O2 - BHO: (no name) - {6 - (no file)
    O2 - BHO: (no name) - {65 - (no file)
    O2 - BHO: (no name) - {65C - (no file)
    O2 - BHO: (no name) - {65C8 - (no file)
    O2 - BHO: (no name) - {65C8C - (no file)
    O2 - BHO: (no name) - {65C8C1 - (no file)
    O2 - BHO: (no name) - {65C8C1F - (no file)
    O2 - BHO: (no name) - {65C8C1F5 - (no file)
    O2 - BHO: (no name) - {65C8C1F5- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-2 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-23 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4D - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D- - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F31 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F315 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E77 - (no file)
    O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E777 - (no file)

    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINNT\bs3.dll

    O2 - BHO: (no name) - {BD - (no file)
    O2 - BHO: (no name) - {BDF - (no file)
    O2 - BHO: (no name) - {BDF3 - (no file)
    O2 - BHO: (no name) - {BDF3E - (no file)
    O2 - BHO: (no name) - {BDF3E4 - (no file)
    O2 - BHO: (no name) - {BDF3E43 - (no file)
    O2 - BHO: (no name) - {BDF3E430 - (no file)
    O2 - BHO: (no name) - {BDF3E430- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B - (no file)
    O2 - BHO: (no name) - {BDF3E430-B1 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B10 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-4 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42A - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A5 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A54 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544- - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-F - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FA - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FAD - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B08 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B0848 - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872 - (no file)

    O3 - Toolbar: (no name) - {80E81A0E-9741-4FBC-8EE3-3B78C04ADA1D} - (no file)

    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2954d3321677fc...ip/RdxIE601.cab

    Restart your computer.

    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Automatically try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?...p;page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Be sure and take advantage of the "Immunize" feature in Spybot.

    Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks.
    On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently.
    The Immunize feature in Spybot used in conjunction with SpywareBlaster and weekly scans with Spybot and Adaware will go a long way toward keeping you spyware free.

    Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster on a weekly basis.
     
  7. qpqpzmzm

    qpqpzmzm

    Joined:
    Sep 18, 2003
    Messages:
    202
    Thank you so much flrman 1 I have followed your instructions to the T and will hope now not to see the tell tale signs that it is regenerating itself. IF all goes well I will be making a donation as I would have paid big bucks for a tech to come in and fix this.

    Regards.
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! (y)

    If it does rear it's ugly head again, which I doubt, just post another HJT log and we'll look at it again.
     
  9. guruji

    guruji Thread Starter

    Joined:
    Sep 12, 2003
    Messages:
    17
    Thank you for your help. I will affero for sure. I got the programs and ran them as you directed and have a much shorter hjt log to show you this time. Several items on the list I will select to ignore as I recognize the applications. Here is the new list. Is there anything to delete?

    Logfile of HijackThis v1.97.2
    Scan saved at 7:50:21 PM, on 9/22/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ACCESSORIES\POP-UP STOPPER\DPPS2.EXE
    C:\PROGRAM FILES\ONLINE SERVICES\APVXDWIN.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\BQTRAY.EXE
    C:\PROGRAM FILES\ACCESSORIES\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\ACCESSORIES\TWEAK OS\PCACCEL.EXE
    C:\PROGRAM FILES\ONLINE SERVICES\PAVPROXY.EXE
    C:\WINDOWS\DESKTOP\UTILITIES\CWSHREDDER.EXE
    C:\WINDOWS\DESKTOP\UTILITIES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?riqrq (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.elijahemanuel.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?riqrq (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?riqrq (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.xxxtoolbar.com/ist/scripts/homepages_manager.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ONLINE~1\SPYBOT~1.1\SDHELPER.DLL
    O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [KeyMaestro] C:\PROGRAM FILES\ACCESSORIES\KMaestro.exe
    O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\ACCESSORIES\POP-UP STOPPER\DPPS2.EXE"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Online Services\APVXDWIN.EXE" /s
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINDOWS\BQTray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
    O4 - Startup: pcaccel.lnk = C:\Program Files\Accessories\Tweak OS\pcaccel.exe
    O4 - User Startup: pcaccel.lnk = C:\Program Files\Accessories\Tweak OS\pcaccel.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Accessories\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\SYSTEM\MetaProducts\Add_Url.htm
    O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
    O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
    O9 - Extra button: Copernic Agent (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37710.4176273148
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    guruji

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?riqrq (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?riqrq (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?riqrq (obfuscated)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.xxxtoolbar.com/ist/scrip...ges_manager.php

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)

    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?riqrq (obfuscated)

    R3 - Default URLSearchHook is missing

    Restart your computer.
     
  11. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
  12. qpqpzmzm

    qpqpzmzm

    Joined:
    Sep 18, 2003
    Messages:
    202
    Hi flrman1 I hope you are well.

    i had hoped by now that I would feel confident that my problem was 100% resolved and I don't.

    Despite my computer being 90% better I feel that that last 10% eludes me.

    Prior to the infection Pop Ups were bothersome but mainly when you flipped from one web site to another or occasionally when you delayed on a site (like CNN) that autorefreshed. But the pop-ups were hardly a nuisance.

    Now if I have my webbrowser activated at all I am still getting quite a few popups and it seems more then ever. Some even get through despite my PopUp stopper program I downloaded and it is often telling me it blocked others. When I turn it off just to see how the problem is I see some ominous looking PopUps that just too much remind me of the virus.

    anyway I guess we need to do another log check...right?

    Is there a site or thread that explains what exactly the program HiJackThis is and whether my techie should be aware of its installation? Is there any concerns I should have over it being in my system? Sorry to be paranoid but I like to have at least a basic understanding of anything I download.

    Also I received this message to my hotmail account which apperantly came from this site (-http://forums.techguy.org/showthread.php?threadid=129074&perpage=15&pagenumber=14 ).

    I am not sure why it was emailed to me because it came almost a week after I had implemented your solution and our last contact and I also was not sure if I was to automatically just do what it said. I didn't follow it yet because I wanted confirmation that I should.

    Please let me know what you think I should try next.
     
  13. e-liam

    e-liam

    Joined:
    Jun 19, 2003
    Messages:
    1,241
    Hi qpqpzmzm,

    As far as the email you got, don't worry about it. unless you unsubscribe to a thread, you will get an email each time someone posts to it. You'll get one letting you know about my post here as an example.. :)

    It's always worth having a look when you get mail notification as someone may well have seen something that needs your attention when the thread seemed concluded.

    As far as the popups, correct.. :D another log please.. (y)

    Hijack this is a small utility that identifies running process on your computer. It also identifies hijacks to the registry. It runs only on your computer and doesn't send any details about you or your computer to anyone.

    http://www.spywareinfo.com/~merijn/index.html lists HJT along with a few other security related programs and tools.

    If you want some more technical info for your techie, then you can contact Merijn, the witer of the program by way of his email address at the bottom of the above page.
    Hope that helps,

    Cheers

    Liam
     
  14. qpqpzmzm

    qpqpzmzm

    Joined:
    Sep 18, 2003
    Messages:
    202
    Here is the new scan e-liam. thx in advance for your help!

    --------

    Logfile of HijackThis v1.97.2
    Scan saved at 2:52:16 PM, on 9/24/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\hidserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINNT\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SymTray.exe
    C:\WINNT\system32\Promon.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\system32\TPWRTRAY.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINNT\system32\AStart.exe
    C:\WINNT\system32\service.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.icefloe.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDF01018-5054-4B3F-B6B7-C51DDCD06827} - C:\WINNT\System32\kqbdbe.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
    O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [AStart] C:\WINNT\system32\AStart
    O4 - HKLM\..\Run: [service.exe] C:\WINNT\system32\service.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37628.3970138889
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  15. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {FDF01018-5054-4B3F-B6B7-C51DDCD06827} - C:\WINNT\System32\kqbdbe.dll

    O4 - HKLM\..\Run: [Promon.exe] Promon.exe
    O4 - HKLM\..\Run: [service.exe] C:\WINNT\system32\service.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe

    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab


    NetDevSW.exe Toshiba laptops with built-in Wi-Fi. Allows switching between Wi-Fi and internal ethernet. Only necessary if you have regular need to switch back and forward between these network interfaces. Located in Startup folder so make own shortcut to it and disable if not really necessary


    Do you know what this is? I don't like the looks of it. It doesn't seem to have a .exe or .dll extension, so I don't know if it will start or not. It could be for ASUS based video cards. Right click on the file, click on Properties, then the Version Tab and see what the description and company name is.

    O4 - HKLM\..\Run: [AStart] C:\WINNT\system32\AStart


    IF you are running ME or XP Disable SYSTEM RESTORE : How to disable or enable System Restore in Windows ME

    How to disable or enable System Restore in Windows XP


    Next reboot into Safe Mode and remove the following files and folders that are bolded

    C:\WINNT\system32\service.exe The valid windows file is services.exe

    See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

    Reboot into normal mode

    RE-ENABLE SYSTEM RESTORE and create a new restore point


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164196

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice