CHIPPER: SPYWARE problem & HijackThis Logs

Discussion in 'adware, spyware & hijack cleaning' started by CHIPPER, Jan 4, 2004.

Thread Status:
Not open for further replies.
  1. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    ON A FORUM I FREQUENT MY COMPUTER KEEPS ADDING ALL KINDS OF LINKS. EVERYTIME THE WORD SPYWARE IS USED, IT IS AUTOMATICALLY HILIGHTED AND UNDERLINED. I HAVE TRIED ADAWARE AND SPYBOT SEARCH AND DESTROY BUT IT SEEMS THE SPYWARE IS STILL IN MY COMPUTER. CAN ANYONE HELP? THANKS.



    - Merged 4 separate threads which were all on the same spyware event together into a single thread so the full picture can be seen - LWM
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re:SPYWARE

    Hi CHIPPER :)

    Welcome to wilders.

    Could u please follow the instructions at this link

    http://www.wilderssecurity.com/showthread.php?t=15913

    Then post a HighjackThis log.




    snowbound
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re:SPYWARE

    Hi Chipper,

    Is that forum computing.net? There may be others using that too.
    If so, find a file called func.js and delete it. Then put the forum in your Restricted zone and add this line to your hosts file:
    127.0.0.1 itxt.vibrantmedia.com

    Regards,

    Pieter
     
  4. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    Re:SPYWARE

    THE FORUM IS A CLASSIC MUSTANG SITE. IT IS CALLED MUSTANG STEVE. WE MUSTANG LOVERS ASK AND ANSWER ALL KINDS OF MUSTANG RELATED QUESTIONS. IT IS A VERY GOOD FORUM. MY COMPUTER IS ADDING LINKS TO MY POSTS EVERYTIME I HIT THE "POST" KEY. I WILL FOLLOW THE INSTRUCTIONS FROM MY OTHER REPLY.
    THANKS.
     
  5. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    CHIPPER: MY HIJACK THIS LOG

    THIS IS MY HIJACK LOG. I USED THE ADAWARE SOFTWARE.
    WHEN I POST ON MY FAVORITE FORUM AN UNKNOWN LINK IS ALWAYS
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\emsw.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\couponsandoffers\couponsandoffers.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\DAD'S\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
    C:\Documents and Settings\DAD'S\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\DAD'S\Application Data\iefeatsl\iefeatsl.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {C3E7D9D1-A28A-49DB-B96C-3EEE1CAE3170} - C:\WINDOWS\System32\inetpjp.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\DOCUME~1\DAD'S\APPLIC~1\iefeatsl\msiesh.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - HKCU\..\Run: [ezmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - Startup: DESKTOP.lnk = ?
    O4 - Global Startup: DESKTOP.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2940B9B-C5CE-442B-BA93-7227A41BB639}: NameServer = 209.124.193.250 209.124.203.12

    ADDED.


    - Noticed each no log was in a new thread, merged them together - LWM
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re:MY HIJACK THIS LOG

    Hi Chipper,

    Before you start please unzip HiojackThis to a folder of it's own. It will not be able to make backups if you run it directly from the zipfolder.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

    O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll

    O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\DAD'S\Application Data\iefeatsl\iefeatsl.dll
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
    O2 - BHO: (no name) - {C3E7D9D1-A28A-49DB-B96C-3EEE1CAE3170} - C:\WINDOWS\System32\inetpjp.dll
    O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\DOCUME~1\DAD'S\APPLIC~1\iefeatsl\msiesh.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"

    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - HKCU\..\Run: [ezmmod] C:\PROGRA~1\ezula\mmod.exe

    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab

    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab

    Then reboot and delete:
    C:\Program Files\Toolbar <= entire folder
    C:\DOCUMENTS AND SETTINGS\DAD'S\APPLICATION DATA\iefeatsl <= entire folder
    C:\Program Files\SuperBar <= entire folder
    C:\Program Files\AUTOUP~1 <= entire folder
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\System32\IEDriver <= entire folder
    C:\WINDOWS\emsw.exe
    C:\Program Files\couponsandoffers <= entire folder
    C:\Program Files\Alset\HelpExpress <= entire folder
    C:\Program Files\ClockSync <= entire folder

    Regards,

    Pieter
     
  7. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    SPYWARE PROBLEMS

    THIS IS THE ogfile of HijackThis v1.97.7
    Scan saved at 9:35:30 PM, on 1/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\PrintMonitor.exe
    C:\Program Files\couponsandoffers\couponsandoffers.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Documents and Settings\DAD'S\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
    C:\Documents and Settings\DAD'S\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=501CF574-E8CC-47D9-874F-D3D080928A25&version_id=18
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    O4 - Startup: DESKTOP.lnk = ?
    O4 - Global Startup: DESKTOP.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2940B9B-C5CE-442B-BA93-7227A41BB639}: NameServer = 209.124.193.250 209.124.203.12

    LOG THAT HIJACK THIS CAME UP WITH.
     
  8. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Re:SPYWARE PROBLEMS

    Hi CHIPPER :)

    Please download and run CWshredder at this link,

    http://www.spywareinfoforum.com/~merijn/files/CWShredder.exe

    Then post a fresh HighjackThis log.





    snowbound
     
  9. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    REPLY TO SPYWARE PROBLEM

    THISof HijackThis v1.97.7
    Scan saved at 9:37:42 AM, on 1/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\WINDOWS\mwsvm.exe
    C:\WINDOWS\System32\wjview.exe
    C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\PrintMonitor.exe
    C:\Program Files\couponsandoffers\couponsandoffers.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\DAD'S\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=501CF574-E8CC-47D9-874F-D3D080928A25&version_id=18
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    O4 - Startup: DESKTOP.lnk = ?
    O4 - Global Startup: DESKTOP.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2940B9B-C5CE-442B-BA93-7227A41BB639}: NameServer = 209.124.193.250 209.124.203.12

    IS MY FRESH HIJACK THIS LOG
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Chipper,

    Please follow these instructions to the letter.
    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50038
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=22776

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=501CF574-E8CC-47D9-874F-D3D080928A25&version_id=18

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
    O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe

    O4 - HKLM\..\Run: [AutoUpdater] C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
    O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe

    O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
    O4 - HKCU\..\Run: [HXIUL.EXE] \DAD'S\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe

    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

    O16 - DPF: {26E8361F-BCE7-4F75-A347-C:\Program Files\Alset\HelpExpress98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab

    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} (SBFullS Control) - http://www.spyblast.com/download/SBFS.cab

    Then reboot and delete:
    C:\Program Files\Toolbar <= entire folder
    C:\Program Files\SuperBar <= entire folder
    C:\WINDOWS\mwsvm.exe
    C:\Program Files\AUTOUPDATER <= entire folder
    C:\Program Files\ClockSync <= entire folder
    C:\Program Files\Alset\HelpExpress <= entire folder
    C:\Program Files\couponsandoffers <= entire folder

    Then download a fresh copy of CWShredder run it and use the Fix button.

    Then reboot once more, run HijackThis and post the new log.

    Regards,

    Pieter
     
  11. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    ogfile of HijackThis v1.97.7
    Scan saved at 2:26:37 PM, on 1/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\HELPEXP.EXE
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\PrintMonitor.exe
    C:\WINDOWS\emsw.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Documents and Settings\DAD'S\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - Startup: DESKTOP.lnk = ?
    O4 - Global Startup: DESKTOP.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2940B9B-C5CE-442B-BA93-7227A41BB639}: NameServer = 209.124.193.250 209.124.203.12
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi CHIPPER,

    You seem to have found something new and kept something old everytime you come back. But it looks better then last time.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.lookfor.cc/index.php?p=37049

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50038

    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe

    Then reboot and delete:
    C:\WINDOWS\emsw.exe
    C:\Program Files\Alset\HelpExpress <= entire folder

    And read this on how to prevent future infections: http://boards.cexx.org/viewtopic.php?t=957

    Regards,

    Pieter
     
  13. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    Logfile of HijackThis v1.97.7
    Scan saved at 6:24:14 PM, on 1/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\cisvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\svchost.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Alset\HelpExpress\DAD'S\HXIUL.EXE
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\HELPEXP.EXE
    C:\Program Files\Alset\HelpExpress\DAD'S\Client\PrintMonitor.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\DAD'S\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
    C:\WINDOWS\system32\cidaemon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netscape.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [sr1exe] "C:\Documents and Settings\All Users\Application Data\Dell\Alert\252\updtSup3.exe"
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\Client\HelpExp.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\DAD'S\HXDL.EXE -silent
    O4 - Startup: DESKTOP.lnk = ?
    O4 - Global Startup: DESKTOP.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2940B9B-C5CE-442B-BA93-7227A41BB639}: NameServer = 209.124.193.250 209.124.203.12

    MY ORIGINAL PROBLEM IS GONE BUT MAYBE I MISSED SOME FILES. THIS IS MY LATEST. THANKS A BUNCH.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi CHIPPER,

    I am glad your problem is solved.:)

    Do you leave HelpExpress in there on purpose or does it return? It's your computer, so it's your choice. Just wondering.

    Regards,

    Pieter
     
  15. CHIPPER

    CHIPPER Registered Member

    Joined:
    Jan 4, 2004
    Posts:
    8
    I DON'T RECALL IF I TOOK OUT THE HELP EXPRESS OR NOT. I'LL MAKE A POINT TO TAKE IT OUT AGAIN AND SEE WHAT HAPPENS. AGAIN, THANK YOU VERY MUCH FOR THE HELP.
    CHIPPER
     
Thread Status:
Not open for further replies.