Help-get rid of 69.20.62.53/yyy3.html and hijackthis file

Discussion in 'adware, spyware & hijack cleaning' started by Prov31, May 28, 2004.

Thread Status:
Not open for further replies.
  1. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    I have spent two days cleaning up lots of spyware/adware, etc. I have run Ad-aware 6.0 and Spybot S&D, and Spy Sweeper. Most of the problems are gone. However, the IE browser window keeps trying to open the site: 69.20.62.53/yyy3.html and it pops up every few minutes. Also, when I restart the computer, it keeps trying to install something unkown. Thanks for your assistance! The Hijackthis file is below:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:16:16 PM, on 5/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\Program Files\Common files\WinTools\WToolsS.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINNT\System32\qttask.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\Common files\WinTools\WToolsA.exe
    C:\WINNT\System32\ffahfw.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINNT\System32\mscmgr.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\Common files\WinTools\WSup.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\ScreenArt\WillowRd.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\Program Files\desktop weather\desktopweather_6444.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kathie Diskin\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [xtxltjzte] C:\WINNT\System32\ffahfw.exe
    O4 - HKCU\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_6444.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Hi Prov31,

    Have only HijackThis running and fix :

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

    O1 - Hosts: 207.36.196.189 auto.search.msn.com
    O1 - Hosts: 207.36.196.189 search.netscape.com
    O1 - Hosts: 207.36.196.189 ieautosearch

    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [fash] C:\WINNT\fash.exe
    O4 - HKLM\..\Run: [xtxltjzte] C:\WINNT\System32\ffahfw.exe

    Restart PC afterdoing so in SAfe Mode : Here's How and remove :

    C:\Program Files\Common files\WinTools\ <- this folder
    C:\WINNT\fash.exe <- this file
    C:\WINNT\System32\ffahfw.exe <- this file

    Clean temp internet files

    Restart again in normal mode

    Update XP and IE at windowsupdate.Com

    Hope this helps

    Cheers,
     
  3. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Dear Unzy--Thank You! I have been at this again for several hours. I followed your instructions and below is the newest hijackthis log. While I am typing this message to you, however, the same old 69.20.62.53/yyy3html browser page pops up. Do you have any additional suggestions for me?

    The other problem (can it be related?) is that when I restart the computer and items are loading, I get a message box that says "Windows Installer" and it is working hard. This happens right after the Coffee Cup Spam Blocker loads and then the "Preparing Desktop Toolbar" box also appears. A message box then appears and says "Please wait while Windows configures Microsoft Office XP Pro". This installer appears each time I resart.

    Now I've been redirected to other sites 3 times just while typing this message. :'(

    I so appreciate your help and advice!

    Logfile of HijackThis v1.97.7
    Scan saved at 1:26:02 PM, on 5/29/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINNT\System32\qttask.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\mscmgr.exe
    C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\ScreenArt\WillowRd.exe
    C:\Program Files\desktop weather\desktopweather_6444.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\WINNT\System32\msiexec.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Kathie Diskin\Desktop\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKCU\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_6444.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Prov31,

    Do you have a program that guards your Startpage/internet settings ?
    Yes you do. SpywareGuard. Did you allow the changes that Unzy advised you to make?

    Can you please update Windows and IE ?


    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

    O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe

    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    Then reboot and let us klnow how that goes?

    Regards,

    Pieter
     
  5. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Hi Pieter (and Unzy), thank you for your response. I have spent HOURS trying to fix the problems (and not with much success). I am asking your assistance again. I downloaded the updates for Windows and IE. Ran Ad-aware and Spybot S&D again (they aren't finding anything at this point).

    I am still getting the browser problems: it gets redirected to 69.20.62.53/yyy3.html; zestyfind.com; and twain-tech items. Also, when I restart, it is still trying to install the item I decribed in the earlier post. Thank you very much for your efforts and assistance!

    Here is the latest hijackthis log:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:34 PM, on 5/31/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\ScreenArt\WillowRd.exe
    C:\Program Files\desktop weather\desktopweather_6444.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kathie Diskin\Desktop\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\System32\mscmgr.exe
    O4 - HKCU\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_6444.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.3708564815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Another quick thought: I just read an article about another problem that is happening: Spyware Guard keeps getting disabled on reboot. It suggested that VX2 program be run. Below is the log for that. The hijack this log was also just posted in my previous post. Thank you!

    log for VX2.BetterInternet File Finder

    Files Found---
    C:\WINNT\System32\3arargb.dll
    C:\WINNT\System32\3crsys.dll
    C:\WINNT\System32\3er.dll
    C:\WINNT\System32\3ersys.dll
    C:\WINNT\System32\3fr32.dll
    C:\WINNT\System32\3fr332.dll
    C:\WINNT\System32\3gr332.dll
    C:\WINNT\System32\3krargb.dll
    C:\WINNT\System32\3krrgb.dll
    C:\WINNT\System32\3mrargb.dll
    C:\WINNT\System32\3nr.dll
    C:\WINNT\System32\3orabgr.dll
    C:\WINNT\System32\3pr555.dll
    C:\WINNT\System32\3rr32.dll
    C:\WINNT\System32\3rr332.dll
    C:\WINNT\System32\3ur555.dll
    C:\WINNT\System32\3vr565.dll
    C:\WINNT\System32\3wr555.dll
    C:\WINNT\System32\3zr332.dll
    C:\WINNT\System32\3zrargb.dll


    Guardian Key--- is called: GuardianWMPXN
    Asynchronous 000
    DllName C:\WINNT\system32\3rr332.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {87BBFD65-59FA-4F1A-B67F-E3DBBAB100BD}
    IDex AX

    User Agent String---
    {87BBFD65-59FA-4F1A-B67F-E3DBBAB100BD}



    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:34 PM, on 5/31/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\System32\devldr32.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\ScreenArt\WillowRd.exe
    C:\Program Files\desktop weather\desktopweather_6444.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kathie Diskin\Desktop\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\System32\mscmgr.exe
    O4 - HKCU\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_6444.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.3708564815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Good thinking, Prov31 Now, stay off the net until all files are deleted (second reboot)

    Open VX2Finder again and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit > OK and navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianWMPXN

    (Note : the five letters in caps at the end may have changed [WMPXN] but it will still start with Guardian)

    Right click on the Guardiano_O?? key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here with a fresh HijackThis log please.

    Regards,

    Pieter
     
  8. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Thank you Pieter! I have followed your instructions and the logs are below. The program that was trying to install on reboot is gone. When I opened the IE browser, a message appeared that said " mscmgr. exe has experienced a problem and has to close"...and also the browser was trying to be redirected to burstnet.com. You are so kind to help me.

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---


    Logfile of HijackThis v1.97.7
    Scan saved at 8:51:34 AM, on 6/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\mscmgr.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\ScreenArt\WillowRd.exe
    C:\Program Files\desktop weather\desktopweather_6444.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\Kathie Diskin\Desktop\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKCU\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_6444.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.3708564815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Prov31,

    Your logs are clean now. Great job. :cool:

    The error looks to be related with this entry you had at first.
    I am not sure what it was supposed to do and why it is no longer in your last log.
    O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\System32\mscmgr.exe

    Can you see if mscmgr.exe is still present and check under Properties > version tab what it has to say about itself?

    Regards,

    Pieter
     
  10. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Hi Pieter, thank you for your quick response! The mscmgr.exe properties just says that it is an application and that it was installed on Friday, May 28...it is nothing that I intentionally installed. I have posted a new log below and it does appear on that. Many thanks again.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:46:51 AM, on 6/1/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\devldr32.exe
    C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\ScreenArt\WillowRd.exe
    C:\Program Files\desktop weather\desktopweather_6444.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Kathie Diskin\Desktop\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\System32\mscmgr.exe
    O4 - HKCU\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_6444.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.3708564815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    If you did not invite it, fix this line:
    O4 - HKLM\..\Run: [MSN Manager] C:\WINNT\System32\mscmgr.exe

    Zip up the file and mail it to the address in my profile please.

    Regards,

    Pieter
     
  12. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Hi Pieter, I would be happy to send this to you--I'm not as savvy as you are. What is the best way to find this file and save it to send to you? I have learned a lot in the last week about adware and spyware (unfortunately).

    I am assuming that I should remove the line after opening up hijackthis--but do I do this after or before I save it for you? Sorry for the questions, I don't want to make a mistake at this point.

    Again, I cannot thank you enough for all of your help. Is this something that you do for fun--or is this your job? There are thousands of us out here that are benefitting from your knowledge. Thanks for sharing.
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Prov31,

    My job is much more boring I'm afraid. ;)

    It doesn't matter if you Fix the line first. HijackThis does not remove those files.

    To make a zip file is easy for XP, rightclick an empty space in a explorer window, choose new and choose compressed file.
    Name it whatever.zip (as long as the name ends with .zip it's OK)
    Then you can copy and paste the file I requested into that zip file.
    How to mail attachments

    Regards,

    Pieter
     
  14. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Hello Pieter,

    Well, the mscmgr.exe seems to be a mystery. Now it doesn't show up in the hijack this log, or in the winnt/sys32 file. I haven't removed it manually yet, but it did disappear and reappear in the logs before. I'm not sure exactly what to do at this point about that issue.

    As I ran another hijackthis log, I noticed some new entries at the bottom. Would you mind looking at the last 016 lines and tell me if they are OK?

    Thank you very much (again).

    Logfile of HijackThis v1.97.7
    Scan saved at 8:00:39 AM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Pwrchute\ups.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\WINNT\System32\devldr32.exe
    C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\mscmgr.exe
    C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe
    C:\WINNT\System32\ctfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\QUICKENW\QWDLLS.EXE
    C:\Program Files\ScreenArt\WillowRd.exe
    C:\Program Files\desktop weather\desktopweather_6444.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Microsoft Office\Office10\msoffice.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Documents and Settings\Kathie Diskin\Desktop\hijackthis1977\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gateway.net/
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKCU\..\Run: [CoffeeCup Spam Blocker] "C:\Program Files\CoffeeCup Software\Spam Blocker\SpamBlocker.exe" -min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
    O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_6444.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: officejet 6100.lnk = ?
    O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Global Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38138.3708564815
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  15. Prov31

    Prov31 Registered Member

    Joined:
    May 28, 2004
    Posts:
    9
    Pieter, now I'm feeling silly--as soon as I posted I saw the mscmgr line in the log...I looked several times. But I still can't find it in the computer anywhere.
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Lets take more drastic measures.

    Surf to http://download.broadbandmedic.com/ and download the Killbox.
    Run the program and copy & paste this in the dialog Window:
    C:\WINNT\System32\mscmgr.exe
    Then click the Kill file button. Confirm and Exit.
    Then check in C:\!Submit\[Dated today] if you find a copy of our mysterious friend.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.