1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please help - My computer is full of adware/malware and trojans. Hijackthis log.

Discussion in 'Virus & Other Malware Removal' started by Tifosi2003, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Tifosi2003

    Tifosi2003 Thread Starter

    Joined:
    Feb 13, 2005
    Messages:
    9
    A few days ago I tried opening my IE and it came up with an error message along the lines of: "Virus Warning - access blocked" and then some links to spyware removal sites, which were dead links. In the url there was a part named sehlp.dll. I tried removing it manually but it said "cannot remove this file. Please make sure it is not in use....". I got rid of it with hijackthis, but it just comes back. Right now my browser is displaying a search engine which, when you click refresh, retains the same search lists but different layout/font/background.
    MSN messenger and all other programmes using internet all work, its just IE. Also, in about 10 minutes I received 5 trojans (TROJ_SMALL.FZ and TROJ_SPYBANK.A). I use TrendMicro Corporate edition and AdAware SE Personal. I removed everything Ad-aware found but the trojans found by Trend Micro cannot be cleaned. I also ran Spybot and got rid of what it found. It might also be useful to know that CWShredder found nothing.

    I use Windows XP Professional SP2. Its is run on an IBM Thinkpad T42p. I am at a loss as to what to do, can you please help me asap? This is severely affecting my work.

    Thank you,

    Frederick

    Logfile of HijackThis v1.99.0
    Scan saved at 15:27:26, on 13.02.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\Fast.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\CCM\CcmExec.exe
    C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\system32\RunDll32.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\CyberLink\PowerVCRII\Agent.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Creative\NOMAD Jukebox Zen\PlayCenter2\CTNMRun.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\CSRSSU.EXE
    C:\WINDOWS\system32\CTFMON32.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
    C:\Program Files\IBM\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Computer Alarm Clock\cac.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Documents and Settings\fwollaert\Desktop\Spyware-Hijack-Virus killers\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sis
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.root.ehl.ch:8080;gopher=proxy.root.ehl.ch:8080;http=proxy.root.ehl.ch:8080;https=proxy.root.ehl.ch:8080;socks=proxy.root.ehl.ch:1080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = galopa;apps.sis;sis;arbok;*.aehl.ch;*.aehl.net;*.aehl.org;*.ehl.ch;*.ehl.edu;*.lhcconsulting.com;*.lhc-consulting.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - C:\WINDOWS\sehlp.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
    O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
    O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
    O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
    O4 - HKLM\..\Run: [UC_Start] C:\Program Files\IBM\Updater\\ucstartup.exe
    O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\\ibmmessages.exe
    O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
    O4 - HKLM\..\Run: [BackgroundSwitcher] C:\WINDOWS\System32\bgswitch.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [Agent] "C:\Program Files\CyberLink\PowerVCRII\Agent.exe"
    O4 - HKLM\..\Run: [Remote_Agent] "C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox Zen\PlayCenter2\CTNMRun.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\system32\CSRSSU.EXE
    O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe
    O4 - HKCU\..\Run: [CTFMON32] C:\WINDOWS\system32\CTFMON32.EXE
    O4 - Global Startup: BTTray.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O13 - DefaultPrefix:
    O13 - WWW Prefix:
    O14 - IERESET.INF: START_PAGE_URL=http://sis
    O15 - Trusted Zone: http://*.apps.sis
    O15 - Trusted Zone: http://apps.sis.root.ehl.ch
    O15 - Trusted Zone: http://sis.ehl.ch
    O15 - Trusted Zone: http://sis.root.ehl.ch
    O15 - Trusted Zone: http://*.sis
    O15 - Trusted Zone: http://*.apps.sis (HKLM)
    O15 - Trusted Zone: http://apps.sis.root.ehl.ch (HKLM)
    O15 - Trusted Zone: http://sis.ehl.ch (HKLM)
    O15 - Trusted Zone: http://sis.root.ehl.ch (HKLM)
    O15 - Trusted Zone: http://*.sis (HKLM)
    O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://sis.ehl.ch/dana-cached/setup/NeoterisSetup.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.01.0004/OCI/setup.exe
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://sis/sis/Portal/resources/msddsc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102445188836
    O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://download.35mb.com/images/downloadapplet.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O17 - HKLM\Software\..\Telephony: DomainName = student.root.ehl.ch
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: IBM PSA Access Driver Control - Unknown - C:\WINDOWS\system32\PsaSrv.exe (file missing)
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: OfficeScanNT Listener - Unknown - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Where in CH are you, I lived in Geneve for 3 years.

    You really need to look into shutting down some of your startup items, you have a TON! Especially all of the TP utilities, do you really need all of them?

    Print this and boot to safe mode
    Fix these with HJT

    O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - C:\WINDOWS\sehlp.dll

    O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll

    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    Removing this is up to you, but I would ad ware – also remove in add/remove

    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

    O4 - HKCU\..\Run: [CSRSSU] C:\WINDOWS\system32\CSRSSU.EXE

    O4 - HKCU\..\Run: [msjava critical update] c:\windows\jjfixer.exe

    O4 - HKCU\..\Run: [CTFMON32] C:\WINDOWS\system32\CTFMON32.EXE

    O23 - Service: IBM PSA Access Driver Control - Unknown - C:\WINDOWS\system32\PsaSrv.exe (file missing)


    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\sehlp.dll
    C:\WINDOWS\stlbd.dll
    C:\WINDOWS\system32\CSRSSU.EXE
    c:\windows\jjfixer.exe
    C:\WINDOWS\system32\CTFMON32.EXE

    START – RUN – key in %temp% OK - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  3. Tifosi2003

    Tifosi2003 Thread Starter

    Joined:
    Feb 13, 2005
    Messages:
    9
    Ok, thanks a lot for the help, at least I have my browser back (almost completely). In answer to your question MFDnSC, I study in Lausanne, at the Ecole Hoteliere de Lausanne.

    I have some new problems now, as I got a few more trojans in (despite not surfing the net whatsoever). I now get a a desktop background saying "you are in danger". The strange thing about it is that its an html file, and after deleting it my background flickers between grey and white. Also, I have the yellow triangle with an exclamation mark in my task tray, whcih every now and so often pops up to tell me my computer is at risk, spyware has been detected and I have no protection.

    Please help me with this anyone...

    Thank you

    Logfile of HijackThis v1.99.0
    Scan saved at 00:47:54, on 16.02.2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\ibmpmsvc.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    C:\WINDOWS\System32\Fast.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    C:\WINDOWS\System32\QCONSVC.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    C:\WINDOWS\system32\TpKmpSVC.exe
    C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINDOWS\System32\CCM\CcmExec.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\TpShocks.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\IBMTOOLS\UTILS\ibmprc.exe
    C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\WINDOWS\system32\ICO.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CyberLink\PowerVCRII\Agent.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
    C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\IBM\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\fwollaert\Desktop\Spyware-Hijack-Virus killers\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.root.ehl.ch:8080;gopher=proxy.root.ehl.ch:8080;http=proxy.root.ehl.ch:8080;https=proxy.root.ehl.ch:8080;socks=proxy.root.ehl.ch:1080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = galopa;apps.sis;sis;arbok;*.aehl.ch;*.aehl.net;*.aehl.org;*.ehl.ch;*.ehl.edu;*.lhcconsulting.com;*.lhc-consulting.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O4 - HKLM\..\Run: [S3TRAY2] "S3Tray2.exe"
    O4 - HKLM\..\Run: [ATIModeChange] "Ati2mdxx.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe " irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe " -helper
    O4 - HKLM\..\Run: [TpShocks] "TpShocks.exe"
    O4 - HKLM\..\Run: [BMMLREF] "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"
    O4 - HKLM\..\Run: [BMMMONWND] "rundll32.exe " C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
    O4 - HKLM\..\Run: [TP4EX] "tp4ex.exe"
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [frymxins] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
    O4 - HKLM\..\Run: [UC_Start] "C:\Program Files\IBM\Updater\\ucstartup.exe"
    O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
    O4 - HKLM\..\Run: [IBMPRC] "C:\IBMTOOLS\UTILS\ibmprc.exe"
    O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
    O4 - HKLM\..\Run: [BMMGAG] "RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor"
    O4 - HKLM\..\Run: [BackgroundSwitcher] "C:\WINDOWS\System32\bgswitch.exe"
    O4 - HKLM\..\Run: [CoolSwitch] "C:\WINDOWS\System32\taskswitch.exe"
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [HPHUPD05] "C:\Program Files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe"
    O4 - HKLM\..\Run: [HPHmon05] "C:\WINDOWS\System32\hphmon05.exe"
    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] "ICO.EXE"
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
    O4 - HKLM\..\Run: [PRONoMgrWired] "C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"
    O4 - HKLM\..\Run: [Agent] "C:\Program Files\CyberLink\PowerVCRII\Agent.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
    O4 - HKLM\..\Run: [Creative WebCam Tray] "C:\Program Files\Creative\Shared Files\CAMTRAY.EXE"
    O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
    O4 - Global Startup: BTTray.lnk = C:\Program Files\IBM\Bluetooth Software\BTTray.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Envoyer à &Bluetooth - C:\Program Files\IBM\Bluetooth Software\btsendto_ie_ctx.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
    O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\IBM\Bluetooth Software\btsendto_ie.htm
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://sis
    O15 - Trusted Zone: http://*.apps.sis
    O15 - Trusted Zone: http://apps.sis.root.ehl.ch
    O15 - Trusted Zone: http://sis.ehl.ch
    O15 - Trusted Zone: http://sis.root.ehl.ch
    O15 - Trusted Zone: http://*.sis
    O15 - Trusted Zone: http://*.apps.sis (HKLM)
    O15 - Trusted Zone: http://apps.sis.root.ehl.ch (HKLM)
    O15 - Trusted Zone: http://sis.ehl.ch (HKLM)
    O15 - Trusted Zone: http://sis.root.ehl.ch (HKLM)
    O15 - Trusted Zone: http://*.sis (HKLM)
    O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://sis.ehl.ch/dana-cached/setup/NeoterisSetup.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientInstall/10.01.0004/OCI/setup.exe
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://sis/sis/Portal/resources/msddsc.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102445188836
    O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://download.35mb.com/images/downloadapplet.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O17 - HKLM\Software\..\Telephony: DomainName = student.root.ehl.ch
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.root.ehl.ch
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: Bluetooth Service - WIDCOMM, Inc. - C:\Program Files\IBM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: IBM Rapid Restore Ultra Service - Unknown - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
    O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
    O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: OfficeScanNT RealTime Scan - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: OfficeScanNT Listener - Unknown - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
    O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe

    P.S. Adaware, Spybot and TrendMicro came up with nothing
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Your log is clean

    Give this a look

    Go to Control Panel > Display.
    Click on the "Desktop" tab then click the "Customize Desktop" button.
    Click on the "Web" tab.
    Under "Web Pages" you should see an entry checked called something like "Security" or similar.
    Select that entry and click the "Delete" button. Click OK then Apply and OK.

    That yellow triangle I think is Sp2 security center, go to control panel and security system, do you have auto updates turned off?
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329927

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice