Help please, IE hijacked.

Discussion in 'adware, spyware & hijack cleaning' started by P-51, Jan 29, 2004.

Thread Status:
Not open for further replies.
  1. P-51

    P-51 Guest

    Ok guys, hope you can help because I've been fighting this for almost a month. Something invaded my computer, and the usual anti-virus programs haven't been able to fix it. I bought and ran Norton anti-virus, and it found:

    Trojan.Digits
    Adware.Istbar
    Adware.Binet
    Dialer.Crosskirk

    That fixed a lot of the problems, I also had to manually delete a couple other programs that got installed...

    But I'm still left with a hijacke browser. My homepage keeps changing, I can't stop it. Also, I get a bunch of favorites I don't want and can't get rid of.

    I'm running Windows XP, and whenever I try to log off, I get a window pops up saying the software "WinMin" is running, and do I want to shut it down. I don't know if that's related, but it only started happening when I was attacked.

    I've also run AdAware and Spybot, which cleaned up some more junk but still didn't fix the problem.

    Here's my log. I already know which lines are bad... cause teenhqpics.com is the website that my homepage keeps setting to.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:44:45 PM, on 29/01/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\palm\HOTSYNC.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Robert\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://teenhqpics.com/?homepage.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://teenhqpics.com/?homepage.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://omega-search.com/panel_search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teenhqpics.com/?homepage.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.trytechnical.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.trytechnical.com/
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\9zaopmix.slt\prefs.js)
    O1 - Hosts: 69.56.223.196 t.rack.cc
    O1 - Hosts: 69.56.223.196 www.alfa-search.com
    O1 - Hosts: 69.56.223.196 webcoolsearch.com
    O1 - Hosts: 69.56.223.196 in.webcounter.cc
    O1 - Hosts: 69.56.223.196 i-lookup.com
    O1 - Hosts: 69.56.223.196 www.hand-book.com
    O1 - Hosts: 69.56.223.196 www.maxxxhosters.com
    O1 - Hosts: 69.56.223.196 allneedsearch.com
    O1 - Hosts: 69.56.223.196 nativehardcore.com
    O1 - Hosts: 69.56.223.196 teen-biz.com
    O1 - Hosts: 69.56.223.196 tits.hardcore4ever.net
    O1 - Hosts: 69.56.223.196 best.royalsearch.net
    O1 - Hosts: 69.56.223.196 default-homepage-network.com
    O1 - Hosts: 69.56.223.196 xwebsearch.biz
    O1 - Hosts: 69.56.223.196 www.rightfinder.net
    O1 - Hosts: 69.56.223.196 www.search-1.net
    O1 - Hosts: 69.56.223.196 www.searchv.com
    O1 - Hosts: 69.56.223.196 www.websearch.com
    O1 - Hosts: 69.56.223.196 mysearchnow.com
    O1 - Hosts: 69.56.223.196 www.therealsearch.com
    O1 - Hosts: 69.56.223.196 www.find-itnow.com
    O1 - Hosts: 69.56.223.196 find.microgirls.com
    O1 - Hosts: 69.56.223.196 super-spider.com
    O1 - Hosts: 69.56.223.196 www.searching-the-net.com
    O1 - Hosts: 69.56.223.196 www.firstbookmark.com
    O1 - Hosts: 69.56.223.196 just.find-itnow.com
    O1 - Hosts: 69.56.223.196 www.find-itnow.com
    O1 - Hosts: 69.56.223.196 qwertysearch123.biz
    O1 - Hosts: 69.56.223.196 www.search-space.com
    O1 - Hosts: 69.56.223.196 www.windowws.cc
    O1 - Hosts: 69.56.223.196 aifind.info
    O1 - Hosts: 69.56.223.196 www.find4u.net
    O1 - Hosts: 69.56.223.196 www.lookfor.cc
    O1 - Hosts: 69.56.223.196 www.008i.com
    O1 - Hosts: 69.56.223.196 www.viewpornkey.com
    O1 - Hosts: 69.56.223.196 www.hugesearch.net
    O1 - Hosts: 69.56.223.196 www.novafuck.com
    O1 - Hosts: 69.56.223.196 www.seznam.cz
    O1 - Hosts: 69.56.223.196 aifind.cc
    O1 - Hosts: 69.56.223.196 www.onet.pl
    O1 - Hosts: 69.56.223.196 teenhqpics.com
    O1 - Hosts: 69.56.223.196 www.ttjj.com
    O1 - Hosts: 69.56.223.196 www.search-dot.com
    O1 - Hosts: 69.56.223.196 www.search-and-go.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: winlogon.exe
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O15 - Trusted Zone: *.teensguru.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{37DFF07C-3947-4E2B-A7B8-7ABA54FBF513}: NameServer = 207.236.176.13 206.47.244.12
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi P-51 :)

    Welcome to Wilders.

    Could u please download and run CWShredder at this link,

    http://www.merijn.org/files/CWShredder.exe


    then post a fresh HJT log.




    snowbound
     
  3. P-51

    P-51 Guest

    What is that program?
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    U have several variants of CoolWebSearch hijacker in your log.

    When u install CWShredder and run it, it will remove anything associated with CoolWebSearch.





    snowbound
     
  5. P-51

    P-51 Guest

    Yay! I think that did it! 1 billion thanks! :D

    Logfile of HijackThis v1.97.7
    Scan saved at 10:07:18 PM, on 29/01/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\palm\HOTSYNC.EXE
    C:\Documents and Settings\Robert\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\9zaopmix.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{37DFF07C-3947-4E2B-A7B8-7ABA54FBF513}: NameServer = 207.236.176.13 206.47.244.12
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Your log looks much better. :)

    I still see some suspicious entries in your log but i do not have enough experience with HJT to advise u any further.

    Just be patient and one of the experts will be along to give u further recommendations.





    snowbound
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi P-51,

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    O4 - Startup: PowerReg Scheduler V3.exe

    Then reboot.

    Regards,

    Pieter
     
  8. P-51

    P-51 Guest

    OK, I did those other two lines, is there anything else?

    I noticed my wife's account (Win XP) still has a ton of bookmarks that shouldn't be there. I'm gonna go ahead and run CWSShredder out of her account. Any other ideas than deleting them manually? I was expecting they would disappear like they did in my account after running CWSShredder.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:27:17 AM, on 31/01/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\palm\HOTSYNC.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Robert\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.focaljet.com/ubbthreads/ubbthreads.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Sympatico
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Robert\Application Data\Mozilla\Profiles\default\9zaopmix.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palm\HOTSYNC.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi P-51,

    The log looks good now.
    You can try if AdAware removes the offending bookmarks.
    Under Settings (Gearbox icon) > Scanning set the option in the screenshot.

    Regards,

    Pieter
     

    Attached Files:

  10. P-51

    P-51 Guest

    No, I already tried Adaware, and it didn't.

    I just ran CWSShredder in under my wife's account, and the guest account, and in both cases if found some infected IE files and cleaned them. That got rid of all but two bookmarks, which I then deleted manually. It appears that there are some seperate files or something setup for different accounts in WinXP, and you have to got through them from each account. Maybe CWSShredder wasn't programmed with WinXP in mind.

    In any case, it's all good now. Thanks again for the help. This place is awesome. I'm so glad that there are some "hackers" on the good side!

    I'm shocked that I payed a lot of money for Norton Antivirus, and it couldn't fix all this yet all these sharewares work well. For all the money they make, Symantec should pay the programmers of these sharewares and include them as modules in their system.
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi P-51,

    You struck the exact reason why we preach "layered defense."

    Please read this on how to prevent future infections:
    http://www.computercops.biz/postt7736.html

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.