• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Guide to Removing and Preventing Spyware/Adware/Hijacking/Viruses

Page 11 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Schadenfroh....

I'm copying my post from the other thread, just to save some time, and then I will cut-n-past the HijackThis log here as wel.....per your request. I hope you can find something. I've been loking thru the log, but can't really tell what might be safe to delete and what not to. Oh well....here goes and thanks again!!
------------------------------------------------------------------------------------------------------------------------Original Post From Other Thread:

Hi all....

Somehow I managed to get some kind of scumware loaded onto my system.

I have a fairly clean, XP Home box with IE 6.0, with Spybot, Ad-Aware, and ZoneAlarm loaded on it. I also am using the Grisoft AVG Antivirus software. I update each of these about once per 2 week intervals. I have run them all, at least twice......

......but.....

.....somehow my home page is being redirected to here: http://a-search.biz/?wmid=1010

Be careful with that....I don't know how poisonous it is!

Anyway....I have checked my home page in tools/options/advanced it is as I have set it....my home page. What hapens is, when I launch a new page from say, the start menu the page opens and quickly gives an "Action Canceled" notice, and then launches to the link I gave above. The it displays a dialog about my 'current settings prohibit ActiveX from running'.

I am unable to re-install the Google toolbar. I ahve tried to re-install it 2-3 times now and it will not take. The folder for it is still alive, but something is catching it and preventing it from being active.

I've looked thru the Registry & the Windows folder.......couldn't find anything obvious....looked thru the Programs folder.....there is a mysterious file called "pl.exe" that I have not seen before. I have deleted it 2-3 times, but it keeps coming back. So that is a clue. Ad-Aware found, and removed a registry entry. I thought that would do it, but apparently it has not.

On the Taskbar is an entry, like what a minimized program would look like when it's sitting there, but it will not open or maximize. Its title is just "about:blank Trusted Start Page".

I have looked in "msconfig" for entries listed there, but there is nothing. This is a tuffie! I can't figure this one out, and I do not (apparently) have te tools to tackle this one!

I have also tried a couple online scanners...with ZA turned off.....and nothing.

Anyone know how I can get rid of this demon from hell!?

Thanks
-------------------------------------------------------------------------------------------------------------------------
LOG File From HijackThis

Logfile of HijackThis v1.98.2
Scan saved at 11:25:27 PM, on 9/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Iconoid\iconoid.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Misc\Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answerway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.icon.rite2u.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.icon.rite2u.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yi...t/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yi...applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...uite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1739A3F2-60BE-4B16-AD0A-91D176FC4C0D}: NameServer = 207.69.188.187 207.69.188.186

--------------------------------------------------------------------------------------------------------------------------
<end>



Thanks again......!!!!


bluto
 
I think I goofed when I sent this, so here it is again. Sorry all if this shows up twice! arrrgh!


Schadenfroh....

I'm copying my post from the other thread, just to save some time, and then I will cut-n-past the HijackThis log here as wel.....per your request. I hope you can find something. I've been loking thru the log, but can't really tell what might be safe to delete and what not to. Oh well....here goes and thanks again!!
------------------------------------------------------------------------------------------------------------------------Original Post From Other Thread:

Hi all....

Somehow I managed to get some kind of scumware loaded onto my system.

I have a fairly clean, XP Home box with IE 6.0, with Spybot, Ad-Aware, and ZoneAlarm loaded on it. I also am using the Grisoft AVG Antivirus software. I update each of these about once per 2 week intervals. I have run them all, at least twice......

......but.....

.....somehow my home page is being redirected to here: http://a-search.biz/?wmid=1010

Be careful with that....I don't know how poisonous it is!

Anyway....I have checked my home page in tools/options/advanced it is as I have set it....my home page. What hapens is, when I launch a new page from say, the start menu the page opens and quickly gives an "Action Canceled" notice, and then launches to the link I gave above. The it displays a dialog about my 'current settings prohibit ActiveX from running'.

I am unable to re-install the Google toolbar. I ahve tried to re-install it 2-3 times now and it will not take. The folder for it is still alive, but something is catching it and preventing it from being active.

I've looked thru the Registry &amp; the Windows folder.......couldn't find anything obvious....looked thru the Programs folder.....there is a mysterious file called "pl.exe" that I have not seen before. I have deleted it 2-3 times, but it keeps coming back. So that is a clue. Ad-Aware found, and removed a registry entry. I thought that would do it, but apparently it has not.

On the Taskbar is an entry, like what a minimized program would look like when it's sitting there, but it will not open or maximize. Its title is just "about:blank Trusted Start Page".

I have looked in "msconfig" for entries listed there, but there is nothing. This is a tuffie! I can't figure this one out, and I do not (apparently) have te tools to tackle this one!

I have also tried a couple online scanners...with ZA turned off.....and nothing.

Anyone know how I can get rid of this demon from hell!?

Thanks
-------------------------------------------------------------------------------------------------------------------------
LOG File From HijackThis

Logfile of HijackThis v1.98.2
Scan saved at 11:25:27 PM, on 9/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ClocX\ClocX.exe
C:\Program Files\Iconoid\iconoid.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Misc\Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answerway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.icon.rite2u.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &amp;Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &amp;WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.icon.rite2u.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yi...t/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yi...applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...uite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1739A3F2-60BE-4B16-AD0A-91D176FC4C0D}: NameServer = 207.69.188.187 207.69.188.186

--------------------------------------------------------------------------------------------------------------------------
<end>



Thanks again......!!!!


bluto
 
Hello Bluto,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answerway.com/
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.icon.rite2u.com
  • O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
  • O8 - Extra context menu item: &amp;WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
  • O14 - IERESET.INF: START_PAGE_URL=http://www.icon.rite2u.com
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{1739A3F2-60BE-4B16-AD0A-91D176FC4C0D}: NameServer = 207.69.188.187 207.69.188.186

Additional Steps

1. Clear your Temporary Files
2. Restart into normal windows

 
schadenfroh,

THANK YOU SO MUCH! you like saved my life! i'm using my bf's computer and when this problem came on i freaked out and have spent the whole day trying to figure out what to do but youc ame to the rescue 🙂. thanks so much. i am posting the new hijack after the extensive clean up. please let me know if i missed something. the only new item i found, which might needs to be removed, is

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

please let me know if there's anything else. also, can i turn system restore back on again? again, THANK YOU so much!!!!

-julez000



Logfile of HijackThis v1.98.2
Scan saved at 11:10:00 PM, on 9/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system32\qttask.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\David Jacobsohn\Desktop\New Folder\hijack\HijackThis.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe
C:\Program Files\Common Files\Real\Update_OB\rndal.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes12031.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

 
🙁

Good try Schadenfroh, but this did not help my situation. I still have te asme problem. I followed your recommendations to the letter, unfortnuately I still have no googla bar, and my web pages are still redirected to the same place in the same way.

Do you have any other suggestions that might help?

Thanks!

bluto
 
Originally posted by: Schadenfroh
Hello johnjohn320, Next time that search page rears its ugly head, please post your hijackthis log, so i can identify what infection you have and how to kill it for good.
Click to expand...

Logfile of HijackThis v1.98.2
Scan saved at 11:23:24 PM, on 9/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\SLIHDKOS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Scott\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F4B248BC-A456-4148-A98A-A70B14261A46} - C:\WINDOWS\System32\ogmb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOL Instent Messenger] SLIHDKOS.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ITNow] C:\Program Files\Indiana University\ITnow Client\ITNow.exe /nosplash /min
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [AOL Instent Messenger] SLIHDKOS.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &amp;Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &amp;Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdl...cabs/FPDC_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O18 - Filter: text/html - {71B52D07-8E9F-4D79-ABD5-768B426A7B10} - C:\WINDOWS\System32\ogmb.dll
O18 - Filter: text/plain - {71B52D07-8E9F-4D79-ABD5-768B426A7B10} - C:\WINDOWS\System32\ogmb.dll

Thanks for all you do, Schadenfroh 🙂
 
Originally posted by: Bluto
🙁

Good try Schadenfroh, but this did not help my situation. I still have te asme problem. I followed your recommendations to the letter, unfortnuately I still have no googla bar, and my web pages are still redirected to the same place in the same way.

Do you have any other suggestions that might help?

Thanks!

bluto
Click to expand...

uninstall the googlebar from control panel, run kill2me and vx2 cleaner. If those fail, use winsockfix to reset your host files. Then post your hijackthis log. after i have a look at it, reinstall the google toolbar.
 
Hello johnjohn320,

Before you do anything
1. Disable system restore, malware can come back through it.
2. Reboot into safe mode.
3. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
  • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
  • O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
  • O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
  • O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
  • O2 - BHO: (no name) - {F4B248BC-A456-4148-A98A-A70B14261A46} - C:\WINDOWS\System32\ogmb.dll
  • O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
  • O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
  • O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
  • O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
  • O8 - Extra context menu item: &amp;Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
  • O18 - Filter: text/html - {71B52D07-8E9F-4D79-ABD5-768B426A7B10} - C:\WINDOWS\System32\ogmb.dll
  • O18 - Filter: text/plain - {71B52D07-8E9F-4D79-ABD5-768B426A7B10} - C:\WINDOWS\System32\ogmb.dll
Additional Steps

1. Run about:buster.
2. Clear your Temporary Files
3. Remove the following VIA instructions provided:
4. Delete the following files:
  • C:\WINDOWS\System32\ogmb.dll
5. Delete the following folders:
  • C:\Program Files\Viewpoint
  • C:\WINDOWS\system32\dla
  • C:\Program Files\WildTangent\
6 .Restart into normal windows

Notes

  • 1. You are/were infected with the dreaded about:blank hijack, use about:buster to fix it.
 
julez000

Your log is looking much cleaner, remove the following and it should finish it up🙂:

[*]O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
[*]O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
 
KavinCross

Welcome to the forums, dont think i have forgot about you🙂, i have run out of time for hijackthislogging as of now, i will be off from work/school in about 12 hours and i will have you a solution by then.
 
Hi Shoenfroh....


uninstall the googlebar from control panel, run kill2me and vx2 cleaner. If those fail, use winsockfix to reset your host files. Then post your hijackthis log. after i have a look at it, reinstall the google toolbar.
Click to expand...

Thanks for the suggestion. I downloaded the proggys and sent them to myself as a zip. I'll open them and try them tonight after I get home. I didn't think of uninstalling the google toolbar. What I did to tho is re-download it and install it, but that didn't help either.

bluto
 
Originally posted by: Schadenfroh
KavinCross

Welcome to the forums, dont think i have forgot about you🙂, i have run out of time for hijackthislogging as of now, i will be off from work/school in about 12 hours and i will have you a solution by then.
Click to expand...

Not a problem, my man. Your help is mega appreciated.
 
Logfile of HijackThis v1.98.2
Scan saved at 12:54:30 PM, on 9/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aodhan\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.technet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.accountonline.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - <a target=_blank class=ftalternatingbarlinklarge href="https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab">https://webresponse.one.mic......ActiveX/winrep.cab</a>
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1092918260694
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - <a target=_blank class=ftalternatingbarlinklarge href="https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab">https://webresponse.one.mic......tiveX/FileXfer.cab</a>
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/downl...gerSetupDownloader.cab

-------------------------------------------------------------------------------------------------------------------------

I never knew you were doing all this stuff and I'm impressed!
 
Here is a copy of the HJT log . I have run spybot, the ccleaner, and hjt. I removed many things, but upon restart, still found it like so:

Logfile of HijackThis v1.97.7
Scan saved at 11:23:05 AM, on 9/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\netia32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\PROGRA~1\COMMON~1\RESEAR~1\RIMDEV~1\RIMDEV~1.EXE
C:\PROGRA~1\COMMON~1\RESEAR~1\USBDRI~1\BbDevMgr.exe
C:\WINDOWS\winzm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gtldu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gtldu.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gtldu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gtldu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gtldu.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gtldu.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gtldu.dll/sp.html#29126
O2 - BHO: (no name) - {33AC10E4-94BE-C3D0-855D-41F27DCEDD3D} - C:\WINDOWS\system32\msny.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSI_UDAgent] "C:\WINDOWS\System32\udagent.exe" -c
O4 - HKLM\..\Run: [EchoPrg] "C:\Program Files\iManage\portbl32.exe" -DS20
O4 - HKLM\..\Run: [CheckMarimba] C:\windows\drivers\scripts\CheckMarimba.exe
O4 - HKLM\..\Run: [winzm.exe] C:\WINDOWS\winzm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &amp;Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7888.5855208333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/ge...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwe.webex.com/client/v_mywe...bex/ieatgpc.cab

 
I posted this earlier today in Networking and was told I ought to try it here. I don't have an HJT log and won't have access to the system until after this weekend (at which point I can get one), but I haven't been able to really find ANY information on this problem...

------------------------------------------------------------------------------------------------------------------------

I got a request from a friend of mine the other day to see if I could give his mom a hand with her computer; she was having all sorts of problems with it, and her email access (through Outlook Express) had broken.

So I went over yesterday to take a look, and she had (of course) a ton of spyware on there. She said it had gotten worse after one of her friends' kids had used the system a week or two ago (again, unsurprising). She had an older version of Ad-Aware (which I had put on there a while back), so I updated it, put Spybot on there as well, and ran it through Trend Micro Housecall. I also fixed her OE settings (which had somehow been overwritten by something else; her POP3 server was just set to the wrong thing), and then that was working.

The problem is that there still seems to be a browser hijack of some sort on there. Every 5 minutes or so, an IE window pops up (just out of the blue, even if you aren't doing *anything*) pointing to 69.20.56.3/yyy.10 or www.ad-w-a-r-e.com, which then redirects to various other places. Spybot's 'bad website blocking' stops it from loading the site (and the redirect), but the IE windows still show up! When I scan, Ad-Aware comes up clean. Spybot finds a few items, and says it's removing them, but they come back after you reboot, and the problem never goes away. Edit: I guess the "DSO Exploit" items Spybot is finding are a bug and not really the source of my problem.

I googled trying to find more information on this, and I found a few threads like this on different forums, but nobody has a way to get rid of it! Seems like this may be a new bug...

Anyway, I'm wondering if anybody has any better information on this issue, or a way to get rid of it... I'd really like to get her system cleaned up. Thanks...
 
Hello KavinCross,

Before you do anything
1. Disable system restore, malware can come back through it.
2. Reboot into safe mode.
3. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
  • R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
  • O2 - BHO: (no name) - SOFTWARE - (no file)
  • O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
  • O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM32\winb2s32.dll
  • O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
  • O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
  • O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
  • O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM32\winb2s32.dll
  • O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
  • O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
  • O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
  • O4 - HKLM\..\Run: [jcckajmmguz] C:\WINDOWS\System32\zkgueb.exe
  • O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
  • O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\ezstub.exe
  • O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.grif.tv/nsvplayx_vp3_mp3.cab
  • O16 - DPF: {E123BED4-B8C7-42BB-958F-F13CA77EF95D} (Anark Client ActiveX Control) - http://install.anark.com/clien...ows-ie/en/AMClient.cab
  • O17 - HKLM\System\CCS\Services\Tcpip\..\{25D7BC4D-FF6A-4A17-B319-6AB3CA29BF1A}: NameServer = 66.80.130.23,66.80.131.5
  • O17 - HKLM\System\CS1\Services\Tcpip\..\{25D7BC4D-FF6A-4A17-B319-6AB3CA29BF1A}: NameServer = 66.80.130.23,66.80.131.5
  • O17 - HKLM\System\CS2\Services\Tcpip\..\{25D7BC4D-FF6A-4A17-B319-6AB3CA29BF1A}: NameServer = 66.80.130.23,66.80.131.5

Additional Steps

1. Clear your Temporary Files
2. Remove the following VIA instructions provided:
3. Delete the following files:
  • C:\WINDOWS\localNRD.dll
  • C:\WINDOWS\SYSTEM32\winb2s32.dll
  • C:\WINDOWS\System32\nvms.dll
  • C:\WINDOWS\System32\mscb.dll
  • C:\WINDOWS\System32\msbe.dll
  • C:\WINDOWS\System32\idctup20.exe
  • C:\WINDOWS\System32\zkgueb.exe
  • C:\WINDOWS\ezstub.exe
4. Delete the following folder:
  • C:\Program Files\TV Media\
5.Restart into normal windows
 
Hello Y2J,

Before you do anything
1. Upgrade to the lastest version of hijackthis.
2. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
3. Disable system restore, malware can come back through it.
4. Reboot into safe mode.
5. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gtldu.dll/sp.html#29126
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gtldu.dll/sp.html#29126
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gtldu.dll/sp.html#29126
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gtldu.dll/sp.html#29126
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gtldu.dll/sp.html#29126
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gtldu.dll/sp.html#29126
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gtldu.dll/sp.html#29126
  • O2 - BHO: (no name) - {33AC10E4-94BE-C3D0-855D-41F27DCEDD3D} - C:\WINDOWS\system32\msny.dll
  • O4 - HKLM\..\Run: [MSI_UDAgent] "C:\WINDOWS\System32\udagent.exe" -c
  • O4 - HKLM\..\Run: [CheckMarimba] C:\windows\drivers\scripts\CheckMarimba.exe THIS MIGHT BE SOMETHING YOU BUT IN THERE, IF A DEVICE STOPS WORKING, RESTORE IT FROM A BACKUP)
  • O4 - HKLM\..\Run: [winzm.exe] C:\WINDOWS\winzm.exe
  • O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - <a target=_blank class=ftalternatingbarlinklarge href="https://mwe.webex.com/client/v_mywe...bex/ieatgpc.cab"><a target=_blank class=ftalternatingbarlinklarge href="https://mwe.webex.com/client/v_mywe...bex/ieatgpc.cab">https://mwe.webex.com/cl.........ex/ieatgpc.cab</a></a>
Additional Steps
1. Run about:buster.
2. Clear your Temporary Files.
3. Delete the following files:
  • C:\WINDOWS\winzm.exe
  • C:\WINDOWS\system32\msny.dll
4.Restart into normal windows
Notes

  • 1. You have been owned by the dreaded about:blank hijack, use about:buster to correct.
 
uninstall the googlebar from control panel, run kill2me and vx2 cleaner. If those fail, use winsockfix to reset your host files. Then post your hijackthis log. after i have a look at it, reinstall the google toolbar.
Click to expand...


I followed these instructions......below is the HijackThis log file. I'm sorry to report, that my browser is *still* being hijacked.......the same stuff is going on.

Ideas pleeeeease?

Thank you for your help!

🙂



Logfile of HijackThis v1.98.2
Scan saved at 8:41:58 PM, on 9/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Misc\Applications\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answerway.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yi...t/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yi...applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/downloa...uite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1739A3F2-60BE-4B16-AD0A-91D176FC4C0D}: NameServer = 207.69.188.187 207.69.188.186

 
Bluto, if the following does not fix it, report it to spywareinfo with your hijackthis log, and ask them for a solution, link to it if provided for future reference.

[*]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.answerway.com/
[*]O17 - HKLM\System\CCS\Services\Tcpip\..\{1739A3F2-60BE-4B16-AD0A-91D176FC4C0D}: NameServer = 207.69.188.187 207.69.188.186
 
I think I posted in the wrong area - I am new....... sorry. Also - anyone know anything about Phantom gaming?
----
my log:
Logfile of HijackThis v1.97.7
Scan saved at 7:02:20 PM, on 9/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe
C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe
C:\WINDOWS\System32\shpc32.exe
C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\WINDOWS\System32\m?iexec.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\ipv6mon.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.net/bookmar...d=5.0&amp;bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us5.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.projo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.projo.com/
O1 - Hosts: 65.120.116.172 mini.aimster.com
O1 - Hosts: 65.120.116.173 lite.aimster.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {68D9352B-9367-3AC6-D253-10550B832043} - C:\WINDOWS\System32\kccqk.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &amp;hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [xkstartup] RunDll32 insxk50c.dll,SetUsbPrinterPort
O4 - HKLM\..\Run: [SHPC32] shpc32.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\ScanSoft\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [d3dim700] C:\WINDOWS\System32\d3dim700.exe
O4 - HKCU\..\Run: [ipv6mon] C:\WINDOWS\System32\ipv6mon.exe
O4 - HKCU\..\Run: [Uobvovjh] C:\WINDOWS\System32\m?iexec.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O8 - Extra context menu item: &amp;AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&amp;xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/app...perbingo-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/appl...reenback-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/apple.../mahjong-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/app...terwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet.../flinger-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5...fu/popfu-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/app...uelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game5.pogo.com/applet-5...ks/peaks-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/app...hackdown-ob-assets.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.co...es/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.co...s/clients/y/potc_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com...e/cabs/director/sw.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/...901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - file://c:\x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aol125.pogo.com/game/de...ma/popcaploader_v5.cab

 
Hello suzee401,

Before you do anything
1. Make sure that you have extracted HiJackthis to a folder that is isolated before removing anything, for hijackthis makes backups within the folder it is in.
2. Disable system restore, malware can come back through it.
3. Reboot into safe mode.
4. Close all browsers/windows explorer.

fix the following in hijackthis(kill the process in process viewer, if its there)
  • O1 - Hosts: 65.120.116.172 mini.aimster.com
    O1 - Hosts: 65.120.116.173 lite.aimster.com
    O2 - BHO: (no name) - {68D9352B-9367-3AC6-D253-10550B832043} - C:\WINDOWS\System32\kccqk.dll
    O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
    O4 - HKCU\..\Run: [d3dim700] C:\WINDOWS\System32\d3dim700.exe
    O4 - HKCU\..\Run: [ipv6mon] C:\WINDOWS\System32\ipv6mon.exe
    O4 - HKCU\..\Run: [Uobvovjh] C:\WINDOWS\System32\m?iexec.exe
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Additional Steps
1. Clear your Temporary Files
2. Delete the following files:
  • C:\Documents and Settings\Owner\Application Data\eber.exe
    • C:\WINDOWS\System32\d3dim700.exe
    • C:\WINDOWS\System32\ipv6mon.exe
    • C:\WINDOWS\System32\m?iexec.exe
    • C:\WINDOWS\System32\kccqk.dll
    3.Restart into normal windows

    Notes

    • 1. Lots of junk in there, let me know if you want me to tell you what to "fix" in hijackthis to speed things up a lil. that is just the stuff that looked malaicious that i told you to remove.
 
Would you mind taking at look at my log?

I ran Adaware, spybot, and Norton before making the log. The only item I see that I'm unsure of is:

O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

Thanks in advance.

Logfile of HijackThis v1.98.2
Scan saved at 5:17:22 PM, on 9/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
E:\Download\Programs\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\Adobe\Acrobat Reader 5\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &amp;Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yi...applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/15...QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.micros...site.cab?1093815266812
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/S...t/common/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/component...opricer/autopricer.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

 
heres my log file

Logfile of HijackThis v1.98.2
Scan saved at 5:04:23 PM, on 9/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.co.../ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.co.../ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.co.../ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.co.../ie/defaults/su/ymsgr/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &amp;Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: &amp;Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.co...ucts/housecall_pre.php (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {5DA9A42E-10AB-435D-94B0-97F828C71E51} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {6AB6EA39-BE0C-4F4A-A19C-A282C807D13A} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {75F4968C-4605-407D-8DC3-30F3C1DA52A6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840.../housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

 
i just made a thread wondering about what processes i can kill or what most of them do, is there a program that will give me that info other than highjack this?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top