Hello Doc! could you give my log the once over

Discussion in 'adware, spyware & hijack cleaning' started by Moschops, May 2, 2004.

Thread Status:
Not open for further replies.
  1. Moschops

    Moschops Registered Member

    Joined:
    May 2, 2004
    Posts:
    6
    I'm pretty sure I've got some lurkers here, but I'm sure you'll know whats really up.

    first off, i used Ad Aware, found and removed some Trojans ( then i used the Hijack this tool -
    here's the results...





    Logfile of HijackThis v1.97.7
    Scan saved at 11:20:07 PM, on 2/05/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
    C:\WINNT\MXOaldr.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\winnt\temp\VEyuBi.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\3_Software\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOaldr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - HKLM\..\Run: [VEyuBi] C:\winnt\temp\VEyuBi.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash3/cabs/swflash.cab


    any "brad pitts" hiding here?

    Thanks for the help everyone
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Moschops,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups in the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - HKLM\..\Run: [VEyuBi] C:\winnt\temp\VEyuBi.exe

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    Download CWShredder and run. Be sure ALL other windows are closed and use the Fix button and follow the instructions you will receive.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\winnt\temp\ <-- Delete EVERYTHING inside of this folder.

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  3. Moschops

    Moschops Registered Member

    Joined:
    May 2, 2004
    Posts:
    6
    thanks Puff
    heres the latest

    Logfile of HijackThis v1.97.7
    Scan saved at 11:21:44 AM, on 3/05/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
    C:\WINNT\MXOaldr.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\3_Software\Hijack this\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Moschops,

    Please post your entire HJT log ;) .

    Regards,
    Kent
     
  5. Moschops

    Moschops Registered Member

    Joined:
    May 2, 2004
    Posts:
    6
    sorry

    Logfile of HijackThis v1.97.7
    Scan saved at 11:50:44 AM, on 3/05/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
    C:\WINNT\MXOaldr.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\3_Software\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOaldr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash3/cabs/swflash.cab
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Moschops,

    Your log looks clean now so hopefully your problems are fixed.

    Regards,
    Kent
     
  7. Moschops

    Moschops Registered Member

    Joined:
    May 2, 2004
    Posts:
    6
    Thanks very much Puff,

    before this log, I also discovered and removed four files in my system32 folder two of which were just called "o" and "o.bat", and two exe files which looked suspicious (sorry, i forgot to write them down :p ) but I'd recommend to anyone reading this to also go into your system32 folder (with caution of course) - note down any suspicious exe files then do a websearch for them, chances are they've cropped up in other forums. Then post your findings here,
    (i did search here first but found nuttin')

    anyway, thanks guys, i hope I won't have to pop by again for a while, but you're definitely bus-stop number one for my friends,
    respect
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Moschops,

    I am just glad to be of help ;) .

    Regards,
    Kent
     
  9. Moschops

    Moschops Registered Member

    Joined:
    May 2, 2004
    Posts:
    6
    attacked again

    here's the latest log, er... what are my chances doc?

    Logfile of HijackThis v1.97.7
    Scan saved at 11:04:55 AM, on 4/05/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
    C:\WINNT\MXOaldr.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\3_Software\Hijack this\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOaldr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash3/cabs/swflash.cab

    :(
     
  10. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Moschops,

    I have merged your most recent log with this thread so it will be easier for the those helping you to see what has already been done.

    Please keep all replies in this current thread until your computer is clean. Thank you.

    Regards,

    snap
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Re: attacked again

    Hi Moschops,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:


    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe

    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

    Then reboot and follow instructions here:
    https://www.wilderssecurity.com/showthread.php?t=28027

    Regards,

    Pieter
     
  12. Moschops

    Moschops Registered Member

    Joined:
    May 2, 2004
    Posts:
    6
    Thank you Pieter,
    i didn't bother reinstalling media player, - barely use it
    Here's my latest log file,

    Logfile of HijackThis v1.97.7
    Scan saved at 11:37:05 PM, on 4/05/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
    C:\WINNT\MXOaldr.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINNT\System32\RunDLL32.exe
    C:\WINNT\system32\WTablet\TabUserW.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\3_Software\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /waitservice
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
    O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOaldr.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINNT\system32\WTablet\TabUserW.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash3/cabs/swflash.cab


    the plan is.....will be moving soon, will build a new machine dedicated to web surfing, e-mailing, playing music etc etc....and reinstall windows on this machine, without any connection to the web whatsoever, then I may feel that my "great werks" will be free free free
    - just for my sanity of course *puppy*

    thanks guys, you're angels of mercy
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    It looks like this one survived or came back:
    O4 - HKLM\..\Run: [mswspl] C:\Program Files\Windows Media Player\wmplayer.exe

    Try fixing it again and check if it stays away.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.