Help with resistant spyware, follow-up (merged)

Discussion in 'adware, spyware & hijack cleaning' started by mbramble, May 28, 2004.

Thread Status:
Not open for further replies.
  1. mbramble

    mbramble Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    Help with resistant spyware

    I've been trying for about 3 weeks now to get rid of spyware that my daughter brought into my clean system. I was not keepingn up with security updates, because I was very careful about file sharing, etc.
    Anyhow,
    I've been repeatedly running adaware, spybotSD and CW shredder, but with no good results.
    I also cannot download the MS service pack. although no other programs are running, as far as I can tell, the download wizard tells me that the followign file is in use by another program:
    c:\program files\common files\ole dp\msdasql.dll

    I've run HijackThis, and I hope that someone can help me with deleting unwanted files.
    I've pasted the log file below.
    Thanks very much in advance for any help.

    Matt Bramble.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:05:50 AM, on 5/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\WINDOWS\System32\SVCHST.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\windows\temp\U.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\wcpsvit.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Matt\Desktop\HijackThis.exe

    R3 - Default URLSearchHook is missing
    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=
    N2 - Netscape 6: user_pref("browser.startup.homepage", "google.com"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\fvc3jabk.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\fvc3jabk.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53A1E0E4-DCD1-4E1A-869D-EE6E81C3BBC3} - C:\WINDOWS\System32\hnpamja.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
    O4 - HKLM\..\Run: [Winsock2 drivers] SVCHST.EXE
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: C:\windows\temp\U.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
    O4 - HKCU\..\RunOnce: [Winsock2 drivers] SVCHST.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O12 - Plugin for .mol: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11ead797c43a7e900206/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.2835069444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8597D2B-975E-4FA1-B2D2-E5B4BC6DDC68}: NameServer = 151.164.20.201 151.164.11.201
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re: Help with resistant spyware

    Hi mbramble,

    All it takes nowadays is to be online without a firewall and current updates.

    Before you start, please move hijackthis.exe to a separate folder. The program will make backups in the folder in the folder it's in.
    These would now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=

    O2 - BHO: (no name) - {53A1E0E4-DCD1-4E1A-869D-EE6E81C3BBC3} - C:\WINDOWS\System32\hnpamja.dll

    O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
    O4 - HKLM\..\Run: [Winsock2 drivers] SVCHST.EXE

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: C:\windows\temp\U.exe

    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
    O4 - HKCU\..\RunOnce: [Winsock2 drivers] SVCHST.EXE

    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11ead797c43a7e900206/netzip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\wcpsvit.exe
    C:\WINDOWS\System32\bridge.dll
    C:\WINDOWS\System32\SVCHST.EXE

    Then (still in safe mode) use the DiskCleanup Toll to empty all your Temp folders.

    Regards,

    Pieter
     
  3. mbramble

    mbramble Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    Re: Help with resistant spyware

    Hello Pieter,
    Thanks much for the help.
    I've done all you described, except that I could not find

    C:\WINDOWS\System32\wcpsvit.exe
    C:\WINDOWS\System32\bridge.dll
    C:\WINDOWS\System32\SVCHST.EXE

    in safe mode when I ran a search for files with "system32" in their names. Is that a problem?
    Also, my diskcleanup program has not been functioning for a while, so I searched for and deleted all files (including hidden folders) with the suffix ".tmp". Does that do the job?

    I am still unable to install the Microsoft service pack, although I installed all of the other updates. The download wizard still tells me that the followign file is in use by another program:
    c:\program files\common files\system\ole dp\msdasql.dll

    Is it possible that spyware is preventing me from installing this update pack?

    Thanks again.
    Matt.
     
  4. mbramble

    mbramble Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    Help with resistant spyware, follow-up

    Hello Pieter,
    Thanks much for the help.
    I've done all you described, except that I could not find

    C:\WINDOWS\System32\wcpsvit.exe
    C:\WINDOWS\System32\bridge.dll
    C:\WINDOWS\System32\SVCHST.EXE

    in safe mode when I ran a search for files with "system32" in their names. Is that a problem?
    Also, my diskcleanup program has not been functioning for a while, so I searched for and deleted all files (including hidden folders) with the suffix ".tmp". Does that do the job?

    I am still unable to install the Microsoft service pack, although I installed all of the other updates. The download wizard still tells me that the followign file is in use by another program:
    c:\program files\common files\system\ole dp\msdasql.dll

    Is it possible that spyware is preventing me from installing this update pack?

    Thanks again.
    Matt.


    -------------

    Hi mbramble,

    All it takes nowadays is to be online without a firewall and current updates.

    Before you start, please move hijackthis.exe to a separate folder. The program will make backups in the folder in the folder it's in.
    These would now end up on your desktop.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=

    O2 - BHO: (no name) - {53A1E0E4-DCD1-4E1A-869D-EE6E81C3BBC3} - C:\WINDOWS\System32\hnpamja.dll

    O4 - HKLM\..\Run: [LimeShop] javaw -cp "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
    O4 - HKLM\..\Run: [Winsock2 drivers] SVCHST.EXE

    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
    O4 - HKLM\..\Run: C:\windows\temp\U.exe

    O4 - HKCU\..\Run: [WINT] C:\WINDOWS\System32\wcpsvit.exe
    O4 - HKCU\..\RunOnce: [Winsock2 drivers] SVCHST.EXE

    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/11ead79...ip/RdxIE601.cab

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\wcpsvit.exe
    C:\WINDOWS\System32\bridge.dll
    C:\WINDOWS\System32\SVCHST.EXE

    Then (still in safe mode) use the DiskCleanup Toll to empty all your Temp folders.

    Regards,

    Pieter
    __________________
    It´s nice to be important, but it´s more important to be nice.
     
  5. dave38

    dave38 Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    377
    Re: Help with resistant spyware, follow-up

    mbramble, I have merged you post to here.

    Please rescan with Hijack this, and post a fresh log.
     
  6. mbramble

    mbramble Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    Re: Help with resistant spyware, follow-up

    Hi Dave, here's the new scan log.
    I ran Adaware and also deleted a couple of the same deleterious files that came back after teh last attempt at purging them. Something is still creating these files!

    THanks for the help.
    MATT.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:16:41 PM, on 5/28/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINDOWS\System32\SVCHST.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Matt\Desktop\hijack\HijackThis.exe

    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=
    N2 - Netscape 6: user_pref("browser.startup.homepage", "google.com"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\fvc3jabk.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\fvc3jabk.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Winsock2 drivers] SVCHST.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [Winsock2 drivers] SVCHST.EXE
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O12 - Plugin for .mol: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.2835069444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8597D2B-975E-4FA1-B2D2-E5B4BC6DDC68}: NameServer = 151.164.20.201 151.164.11.201
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Re: Help with resistant spyware, follow-up

    Hi mbramble,

    Please surf to http://download.broadbandmedic.com and download The Killbox.

    Double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:
    C:\WINDOWS\System32\SVCHST.EXE

    Then click on the Action menu and choose "Delete on Reboot". On the next screen, click on the File menu and choose "Add File". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot". You'll be prompted to reboot, so make sure you close as much as you can beforehand.

    After the reboot have HijackThis Fix:

    O4 - HKLM\..\Run: [Winsock2 drivers] SVCHST.EXE

    O4 - HKCU\..\RunOnce: [Winsock2 drivers] SVCHST.EXE

    Regards,

    Pieter
     
  8. mbramble

    mbramble Registered Member

    Joined:
    May 28, 2004
    Posts:
    5
    Hijackthis log file for analysis

    Greetings,
    Adaware continually detects coolweb something during scans.
    Can't get rid of this stuff. I've installed Mcafee programs now, but I still can't install the MS service pack 1a, because it tells me that the C:\programf files\common files\system\ole db\msdasql.dll file is in use by another program, even when I attempt it from a restart.
    Are there any clues in the following hijack log?

    THanks very much.

    Matt

    Logfile of HijackThis v1.97.7
    Scan saved at 3:07:49 PM, on 5/29/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
    C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Qualcomm\Eudora\Eudora.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Documents and Settings\Matt\Desktop\hijack\HijackThis.exe

    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=
    N2 - Netscape 6: user_pref("browser.startup.homepage", "google.com"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\fvc3jabk.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Matt\Application Data\Mozilla\Profiles\default\fvc3jabk.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [McAfee Guardian] C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe /SU
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
    O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\McRegWiz.exe /autorun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Privacy Bar (HKLM)
    O12 - Plugin for .mol: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\PLUGINS\npchime.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
    O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs8b.instantservice.com/jars/customerxsigned41.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38028.2835069444
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8597D2B-975E-4FA1-B2D2-E5B4BC6DDC68}: NameServer = 151.164.20.201 151.164.11.201
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi mbramble,

    I have merged your two threads together so those that are helping you will see what has been tried to-date.

    To avoid confusion, please stay in this current thread for all replies until your problem is resolved. Thank you for your understanding.

    Regards,

    snap
     
Thread Status:
Not open for further replies.