1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

IELoader is driving me crazy

Discussion in 'Virus & Other Malware Removal' started by bdsto, Feb 6, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. bdsto

    bdsto Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    3
    I have run many spyware and virus checkers on my system. Adaware, Spybot, TDS, Spyhunter, etc. I have WinPatrol on and it keeps telling me that IELoader is trying to install stuff like faortlht.exe (dll?) and aabqgsav.dll. When I click on Windows Internet Explorer I get multiple copies of iexplorer.exe and they take over the CPU. I kill them using Windows Task Manager, otherwise the system becomes unusable. I use Firefox most of the time, but some sites require IE. Then there is the problem of something trying to install DesktopSearch (c:\windows\isrvs\desktop.exe). I would like to get rid of that too. I have also downloaded all of the Microsoft Updates that the computer will allow. Five of them have been rejected. I think because I was using Firefox.

    I have created a hijack this log and would appreciate any help anyone could offer. Thank you.

    ----------------------------------

    Logfile of HijackThis v1.99.0
    Scan saved at 12:45:54 PM, on 2/5/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\PInfo\Dialers\Lori\Lori.exe
    C:\Windows\system32\axs.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE
    C:\Windows\System32\ctfmon.exe
    C:\Windows\System32\wuaclt.exe
    C:\Windows\System32\PackethSvc.exe
    C:\Windows\System32\sysmonnt.exe
    C:\Documents and Settings\Administrator\Application Data\elat.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Windows\System32\devldr32.exe
    C:\Windows\wanmpsvc.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Windows\System32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    D:\Security\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\about.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Realaudio Player] realaudioplay.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [Lori] C:\Program Files\PInfo\Dialers\Lori\Lori.exe /dontdial
    O4 - HKLM\..\Run: [cd1] c:\windows\system32\cd1.exe /nocomm
    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
    O4 - HKLM\..\Run: [gkfyqc] C:\Windows\System32\gkfyqc.exe
    O4 - HKLM\..\Run: [oqcjmc] C:\Windows\System32\oqcjmc.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\Windows\System32\wintask.exe
    O4 - HKLM\..\Run: [secure] C:\Windows\System32\Dnegvm.exe
    O4 - HKLM\..\Run: [TinkoPal] C:\Program Files\TinkoPal\AppStart.exe
    O4 - HKLM\..\Run: [axs] C:\Windows\system32\axs.exe
    O4 - HKLM\..\Run: [r74R3sh] wshuth.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\Windows\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\Windows\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Dvx] C:\Windows\System32\wsxsvc\wsxsvc.exe
    O4 - HKLM\..\Run: [himkfjlf] C:\Windows\System32\himkfjlf.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\RunServices: [Realaudio Player] realaudioplay.exe
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [awv5RiN5T] uxtcp32r.exe
    O4 - HKCU\..\Run: [Qtutnar] C:\Windows\System32\wuaclt.exe
    O4 - HKCU\..\Run: [sysmonnt] C:\Windows\System32\sysmonnt
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\Administrator\Application Data\elat.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107130436733
    O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.service-url.de/InstallationsAssistent.ocx
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
    O23 - Service: Virtual NIC Service - America Online, Inc. - C:\Windows\System32\PackethSvc.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\Windows\wanmpsvc.exe
     
  2. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Hello bdsto and Welcome to TSG! :D

    Open Task Manager (ctrl+alt+delete) and choose the "Processes" tab.
    Find and "End Process" the following processes:
    Lori.exe
    axs.exe
    sysmonnt.exe
    elat.exe


    Turn off System Restore by right-clicking on My Computer and choosing "Properties". Click on the "System Restore" tab and put a tick next to "Turn System Restore off". Click "OK".

    Go to My Computer and click on "Tools" then "Folder Options. Click on the "View" tab and make sure that "Show hidden files and folders" is enabled. Click "OK".

    Find and delete the following files and folders hilighted in RED:
    C:\Program Files\PInfo
    C:\Windows\system32\axs.exe
    C:\Windows\System32\sysmonnt.exe
    C:\Documents and Settings\Administrator\Application Data\elat.exe

    Open Internet Explorer and at the top click on "Tools" and choose "Internet Options". Click on the "Advanced" tab and untick "Enable third-party browser extensions". Click on "Apply" then "OK".

    Run HijackThis and fix the following entries:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\about.htm

    R3 - Default URLSearchHook is missing

    O1 - Hosts: 64.91.255.87 www.dcsresearch.com

    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)

    O4 - HKLM\..\Run: [Lori] C:\Program Files\PInfo\Dialers\Lori\Lori.exe /dontdial

    O4 - HKLM\..\Run: [cd1] c:\windows\system32\cd1.exe /nocomm

    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe

    O4 - HKLM\..\Run: [gkfyqc] C:\Windows\System32\gkfyqc.exe

    O4 - HKLM\..\Run: [oqcjmc] C:\Windows\System32\oqcjmc.exe

    O4 - HKLM\..\Run: [WinTask driver] C:\Windows\System32\wintask.exe

    O4 - HKLM\..\Run: [secure] C:\Windows\System32\Dnegvm.exe

    O4 - HKLM\..\Run: [axs] C:\Windows\system32\axs.exe

    O4 - HKLM\..\Run: [r74R3sh] wshuth.exe

    O4 - HKLM\..\Run: [ffis] C:\Windows\isrvs\ffisearch.exe

    O4 - HKLM\..\Run: [Dvx] C:\Windows\System32\wsxsvc\wsxsvc.exe

    O4 - HKLM\..\Run: [himkfjlf] C:\Windows\System32\himkfjlf.exe

    O4 - HKCU\..\Run: [awv5RiN5T] uxtcp32r.exe

    O4 - HKCU\..\Run: [sysmonnt] C:\Windows\System32\sysmonnt

    O4 - HKCU\..\Run: [Lerm] C:\Documents and Settings\Administrator\Application Data\elat.exe

    O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.service-url.de/Insta...nsAssistent.ocx

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file


    Restart your computer and post a fresh HijackThis log back on this thread.
     
  3. bdsto

    bdsto Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    3
    Thank you for the help. I believe I did what you said where I could. IE crashed when I tried to open it. But I right clicked on it and turned off the ... whatever it was... that way. Here is the new log.

    ----------------------
    Logfile of HijackThis v1.99.0
    Scan saved at 8:01:31 AM, on 2/7/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\spoolsv.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Windows\System32\PROMon.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Windows\System32\realaudioplay.exe
    C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Windows\isrvs\desktop.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    C:\Windows\System32\ctfmon.exe
    C:\Windows\System32\wuaclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Windows\System32\PackethSvc.exe
    C:\Windows\System32\devldr32.exe
    C:\Windows\System32\msupd5.exe
    C:\Windows\System32\NMSSvc.exe
    C:\Windows\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    D:\Security\HijackThis.exe
    C:\Windows\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {43044E3B-107A-01E1-DC60-4CEB4DF0BF2C} - C:\Windows\System32\faortlht.dll
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {BBB9C1B7-3B16-C6E8-D6FA-B21DE9DA5D8C} - C:\Windows\System32\aabqgsav.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Realaudio Player] realaudioplay.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\Windows\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\Windows\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\RunServices: [Realaudio Player] realaudioplay.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Qtutnar] C:\Windows\System32\wuaclt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107130436733
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\Windows\System32\msupd5.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
    O23 - Service: Virtual NIC Service - America Online, Inc. - C:\Windows\System32\PackethSvc.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\Windows\wanmpsvc.exe
     
  4. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Run HijackThis and fix the following entries:

    O2 - BHO: (no name) - {43044E3B-107A-01E1-DC60-4CEB4DF0BF2C} - C:\Windows\System32\faortlht.dll

    O2 - BHO: (no name) - {BBB9C1B7-3B16-C6E8-D6FA-B21DE9DA5D8C} - C:\Windows\System32\aabqgsav.dll

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


    Restart your computer and post a fresh HijackThis log back on this thread.
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {43044E3B-107A-01E1-DC60-4CEB4DF0BF2C} - C:\Windows\System32\faortlht.dll
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: (no name) - {BBB9C1B7-3B16-C6E8-D6FA-B21DE9DA5D8C} - C:\Windows\System32\aabqgsav.dll
    O4 - HKLM\..\Run: [Realaudio Player] realaudioplay.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\Windows\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\Windows\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\RunServices: [Realaudio Player] realaudioplay.exe
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

    Close all applications and browser windows before you click "fix checked".


    Restart in Safe Mode

    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Go to control panel add/remove programs and remove Viewpoint also SpyHunter as you can see it is not doing you any good either.

    Delete these folders:
    C:\Windows\isrvs
    C:\Program Files\Enigma Software Group
    C:\Program Files\Viewpoint

    Reboot.

    Go here: http://www.kaspersky.com/remoteviruschk.html
    Copy this: C:\Windows\System32\realaudioplay.exe and paste it into the Submit box.

    Please report back the findings.
     
  6. bdsto

    bdsto Thread Starter

    Joined:
    Feb 5, 2005
    Messages:
    3
    I did what you said, close the browser, safe mode, delete the directories, etc. ffis and the no names will not go away. Here is my latest log. Thanx for the help.

    ----------------------
    Logfile of HijackThis v1.99.0
    Scan saved at 8:49:32 AM, on 2/11/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\spoolsv.exe
    C:\Windows\Explorer.EXE
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    C:\Windows\System32\PROMon.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Windows\System32\ctfmon.exe
    C:\Windows\System32\wuaclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\Windows\System32\devldr32.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Windows\System32\msupd5.exe
    C:\Windows\System32\NMSSvc.exe
    C:\Windows\wanmpsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\COMMON~1\AOL\110807~1\EE\AOLHOS~1.EXE
    C:\PROGRA~1\COMMON~1\AOL\110807~1\EE\AOLServiceHost.exe
    C:\Windows\System32\wuauclt.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\Windows\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.compaq.com/1Q00CDT/0409/bl7.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {43044E3B-107A-01E1-DC60-4CEB4DF0BF2C} - (no file)
    O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: (no name) - {BBB9C1B7-3B16-C6E8-D6FA-B21DE9DA5D8C} - (no file)
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\Windows\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\Windows\isrvs\desktop.exe
    O4 - HKLM\..\Run: [ffis] C:\Windows\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\Windows\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Qtutnar] C:\Windows\System32\wuaclt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1107130436733
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
    O23 - Service: AOL Connectivity Service - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\Windows\System32\msupd5.exe
    O23 - Service: Intel(R) NMS - Intel Corporation - C:\Windows\System32\NMSSvc.exe
    O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\Windows\wanmpsvc.exe
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327495

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice