Help with log Please

Discussion in 'adware, spyware & hijack cleaning' started by Bojo, Mar 16, 2004.

Thread Status:
Not open for further replies.
  1. Bojo

    Bojo Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    7
    Here is my log what do i nessd to remove?

    Logfile of HijackThis v1.97.7
    Scan saved at 10:11:25 PM, on 3/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\RIPPopUps\RIPPopUps.exe
    C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Kazaa Lite\kazaalite.kpp
    C:\WINDOWS\r4E0cE53Y.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Media\Media\updatestats.exe
    C:\Program Files\Common files\updater\wupdater.exe
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
    C:\Documents and Settings\Bojo\Desktop\HijackThis.exe
    C:\Sierra\Hoyle Casino 2001\Hoyle Casino.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\edhHjU2.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {78F20000-5AC9-4758-9804-E6AE3968FFBF} - C:\WINDOWS\atK2ZRH.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: RIP Pop-Ups - {c1d05a96-fea8-4d7c-927c-1b1dc57b5ab6} - C:\WINDOWS\System32\mscoree.dll
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\Epson\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [RIPPopUps] C:\Program Files\RIPPopUps\RIPPopUps.exe
    O4 - HKLM\..\Run: [fK6SY] C:\WINDOWS\r4E0cE53Y.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Bojo\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} (limmyloding.limmyform) - http://bins.roings.com/mp3.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37782.6548148148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    thank you
     
    Bojo, Mar 16, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Bojo,

    Before you start, please unzip hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    That will mess up your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\edhHjU2.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {78F20000-5AC9-4758-9804-E6AE3968FFBF} - C:\WINDOWS\atK2ZRH.dll

    O4 - HKLM\..\Run: [fK6SY] C:\WINDOWS\r4E0cE53Y.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

    O16 - DPF: {65B818E1-F4D8-4F96-A1DF-35F3D1C86194} (limmyloding.limmyform) - http://bins.roings.com/mp3.cab

    Then reboot and delete:
    C:\Program Files\Common files\updater <= entire folder
    C:\Program Files\Media\Media <= entire folder
    C:\Program Files\Power Scan <= entire folder
    C:\Program Files\Internet Optimizer <= entire folder
    C:\WINDOWS\r4E0cE53Y.exe
    C:\Program Files\INCREDIFIND <= entire folder

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 17, 2004
    #2
  3. Bojo

    Bojo Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    7
    Here is my log now is there any thing I've missed?

    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:38 PM, on 3/17/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\RIPPopUps\RIPPopUps.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\ClearSearch\Loader.exe
    C:\WINDOWS\System32\dp-k13w13.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Save\Save.exe
    C:\Program Files\AutoUpdate\AutoUpdate.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Common Files\Dpi\dpi.exe
    C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
    C:\PROGRA~1\ezula\mmod.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\WINDOWS\System32\ZtjNI3.exe
    C:\WINDOWS\System32\ZtjNI3.exe
    C:\Program Files\SysAI\SysAI.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\mobsync.exe
    C:\Documents and Settings\Bojo\Desktop\Hi-Jack\HijackThis\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: RIP Pop-Ups - {c1d05a96-fea8-4d7c-927c-1b1dc57b5ab6} - C:\WINDOWS\System32\mscoree.dll
    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\Epson\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [RIPPopUps] C:\Program Files\RIPPopUps\RIPPopUps.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [4S4EA@Z52969KX] C:\WINDOWS\System32\VxeUwT.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Bojo\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37782.6548148148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9D5807FF-6A6F-4C60-9D0F-AC9B007C5729}: NameServer = 209.226.175.223 198.235.216.111

    Thanks Bojo
     
    Bojo, Mar 17, 2004
    #3
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Bojo,

    Did you install some new ones? o_O

    First try to remove SaveNow aka WhenUSave aka Save! in Add/Remove software. Either way continue with what's below.

    Download and run: http://www.memorywatcher.com/uninst.exe
    The program needs internet access to finish.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startium.com/metasearch.php?dst=DIST1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll

    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINDOWS\System32\stlbdist.DLL

    O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\System32\stlbdist.DLL

    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
    O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
    O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
    O4 - HKLM\..\Run: [4S4EA@Z52969KX] C:\WINDOWS\System32\VxeUwT.exe
    O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

    Then reboot and delete:
    C:\WINDOWS\System32\stlbdist.DLL
    C:\Program Files\ClearSearch <= entire folder
    C:\WINDOWS\System32\dp-k13w13.exe
    C:\WINDOWS\uptodate.exe
    C:\Program Files\AutoUpdate <= entire folder
    C:\WINDOWS\system32\pcs <= entire folder
    C:\Program Files\Common Files\Dpi <= entire folder

    Read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 18, 2004
    #4
  5. Bojo

    Bojo Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    7
    here is my log now. I hope everything 's good .
    I read the info from the link on your last post and did as it said .

    thanks for all the help Pieter

    Logfile of HijackThis v1.97.7
    Scan saved at 5:54:45 PM, on 3/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\RIPPopUps\RIPPopUps.exe
    C:\Program Files\Creative\ShareDLL\Mediadet.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\KecHdTWf.exe
    C:\WINDOWS\System32\DkjuDHq.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Bojo\Desktop\Hi-Jack\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca.yahoo.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: RIP Pop-Ups - {c1d05a96-fea8-4d7c-927c-1b1dc57b5ab6} - C:\WINDOWS\System32\mscoree.dll
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\Epson\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
    O4 - HKLM\..\Run: [RIPPopUps] C:\Program Files\RIPPopUps\RIPPopUps.exe
    O4 - HKLM\..\Run: [4S4EA@Z52969KX] C:\WINDOWS\System32\VxeUwT.exe
    O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
    O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
    O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\Bojo\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Central"
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37782.6548148148
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{9D5807FF-6A6F-4C60-9D0F-AC9B007C5729}: NameServer = 209.226.175.223 198.235.216.111

    thanks again Bojo
     
    Bojo, Mar 18, 2004
    #5
  6. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    You need to re run this uninstall. MAke sure to let it have internet access to work.

    Download and run: http://www.memorywatcher.com/uninst.exe
    The program needs internet access to finish.
     
    Shadowwar, Mar 18, 2004
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...