HELP!

Discussion in 'adware, spyware & hijack cleaning' started by HiHiHi, Feb 4, 2004.

Thread Status:
Not open for further replies.
  1. HiHiHi

    HiHiHi Guest

    Whenever I open I.E MY COMPUTER ACTS VERY STRANGLY. WHEN I CHAT on aim or type anywhere else (while I.E. is open) iT RANDOMLY CAPITALIZES MY LETTER AS IF SOMEONE AS CONSTENTLY HOLDING SHIFT. Random Ads pop up but it always says the website is unavalible. I tried everything. I downloaded spy blaster, adaware, spyboy search and destory.. I don't knwo what else to do. Anyone one me? Thanks, I'm really computer illiterate so if my description seems vauge sorry but i don't know how else to describe it.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Most of what it lists will be harmless, so do not fix anything yet.

    Regards,

    Piete
     
  3. HiHiHi

    HiHiHi Guest

    Logfile of HijackThis v1.97.7
    Scan saved at 7:27:20 PM, on 2/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\Ere6A.exe
    C:\WINDOWS\System32\KexvAC.exe
    C:\Program Files\Winamp3\winamp3.exe
    C:\Program Files\Beware of Dog\Screaming Broccolii.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\Mystik\LOCALS~1\Temp\Rar$EX01.983\HijackThis.exe
    C:\WINDOWS\system32\NOTEPAD.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://animelayer.com/forums/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.animelayer.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {047618D5-C12C-96ED-B881-BC76DDDC2B0D} - C:\WINDOWS\system32\ochxinnc.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2945B033-7D9D-1D53-E13B-5E28088CE85F} - C:\WINDOWS\system32\nxmgnlze.dll
    O2 - BHO: (no name) - {6913ADF2-5CC8-7EBA-B03C-6F393FE1BD7A} - C:\WINDOWS\system32\zixvyrsw.dll
    O2 - BHO: (no name) - {726B717D-673C-9BCE-7CFF-B49A66CD25F6} - C:\WINDOWS\system32\cspzspqk.dll
    O2 - BHO: (no name) - {9E70481E-B4BA-D5BF-D8DE-0C1BB218D392} - C:\WINDOWS\system32\jyxrphvj.dll
    O2 - BHO: (no name) - {A677500D-E2E2-7D64-40D1-AB4DEC44A61B} - C:\WINDOWS\system32\wjbkxpta.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C0CDEC3E-F8BF-DC38-F2E9-50820C2A69A4} - C:\WINDOWS\system32\neelcppk.dll
    O2 - BHO: (no name) - {C5C7C3AE-D3C5-EB2C-D43F-5ACE47B0AE10} - C:\WINDOWS\system32\jmktukpt.dll
    O2 - BHO: (no name) - {D2A3E1E9-822D-3AEB-C5A3-FBE65EA57C7C} - C:\WINDOWS\system32\zxwtzxpa.dll
    O2 - BHO: (no name) - {D8AD182B-9675-C1AF-AEFA-4F270771D0FA} - C:\WINDOWS\system32\biebgzaz.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [34FBMS82#W23LD] C:\WINDOWS\System32\HotElc.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Startup: Shortcut to ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065756178506
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19add0eb01b8d4f82702/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72D87886-2146-4BE8-A87B-19A463B807FD}: NameServer = 64.136.28.120 64.136.20.133

    well there ya go..
     
  4. HiHiHi

    HiHiHi Guest

    i scanned my comp again with the update of adaware..iono if it matters but here it is just in case

    Logfile of HijackThis v1.97.7
    Scan saved at 9:40:08 PM, on 2/5/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\Beware of Dog\Screaming Broccolii.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\mIRC\mirc.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Mystik\LOCALS~1\Temp\Rar$EX00.326\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://animelayer.com/forums/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.animelayer.com/
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {047618D5-C12C-96ED-B881-BC76DDDC2B0D} - C:\WINDOWS\system32\ochxinnc.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2945B033-7D9D-1D53-E13B-5E28088CE85F} - C:\WINDOWS\system32\nxmgnlze.dll
    O2 - BHO: (no name) - {6913ADF2-5CC8-7EBA-B03C-6F393FE1BD7A} - C:\WINDOWS\system32\zixvyrsw.dll
    O2 - BHO: (no name) - {726B717D-673C-9BCE-7CFF-B49A66CD25F6} - C:\WINDOWS\system32\cspzspqk.dll
    O2 - BHO: (no name) - {9E70481E-B4BA-D5BF-D8DE-0C1BB218D392} - C:\WINDOWS\system32\jyxrphvj.dll
    O2 - BHO: (no name) - {A677500D-E2E2-7D64-40D1-AB4DEC44A61B} - C:\WINDOWS\system32\wjbkxpta.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C0CDEC3E-F8BF-DC38-F2E9-50820C2A69A4} - C:\WINDOWS\system32\neelcppk.dll
    O2 - BHO: (no name) - {C5C7C3AE-D3C5-EB2C-D43F-5ACE47B0AE10} - C:\WINDOWS\system32\jmktukpt.dll
    O2 - BHO: (no name) - {D2A3E1E9-822D-3AEB-C5A3-FBE65EA57C7C} - C:\WINDOWS\system32\zxwtzxpa.dll
    O2 - BHO: (no name) - {D8AD182B-9675-C1AF-AEFA-4F270771D0FA} - C:\WINDOWS\system32\biebgzaz.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [34FBMS82#W23LD] C:\WINDOWS\System32\Oen8O.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Startup: Shortcut to ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065756178506
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19add0eb01b8d4f82702/netzip/RdxIE601.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72D87886-2146-4BE8-A87B-19A463B807FD}: NameServer = 64.136.28.120 64.136.20.133
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    First, download and run:
    http://home01.wxs.nl/~kleyn080/uninst.exe

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {047618D5-C12C-96ED-B881-BC76DDDC2B0D} - C:\WINDOWS\system32\ochxinnc.dll

    O2 - BHO: (no name) - {2945B033-7D9D-1D53-E13B-5E28088CE85F} - C:\WINDOWS\system32\nxmgnlze.dll
    O2 - BHO: (no name) - {6913ADF2-5CC8-7EBA-B03C-6F393FE1BD7A} - C:\WINDOWS\system32\zixvyrsw.dll
    O2 - BHO: (no name) - {726B717D-673C-9BCE-7CFF-B49A66CD25F6} - C:\WINDOWS\system32\cspzspqk.dll
    O2 - BHO: (no name) - {9E70481E-B4BA-D5BF-D8DE-0C1BB218D392} - C:\WINDOWS\system32\jyxrphvj.dll
    O2 - BHO: (no name) - {A677500D-E2E2-7D64-40D1-AB4DEC44A61B} - C:\WINDOWS\system32\wjbkxpta.dll

    O2 - BHO: (no name) - {C0CDEC3E-F8BF-DC38-F2E9-50820C2A69A4} - C:\WINDOWS\system32\neelcppk.dll
    O2 - BHO: (no name) - {C5C7C3AE-D3C5-EB2C-D43F-5ACE47B0AE10} - C:\WINDOWS\system32\jmktukpt.dll
    O2 - BHO: (no name) - {D2A3E1E9-822D-3AEB-C5A3-FBE65EA57C7C} - C:\WINDOWS\system32\zxwtzxpa.dll
    O2 - BHO: (no name) - {D8AD182B-9675-C1AF-AEFA-4F270771D0FA} - C:\WINDOWS\system32\biebgzaz.dll

    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe

    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19add0eb01b8d4f82702/netzip/RdxIE601.cab

    Then reboot and it should be lots better.

    Keep us posted,

    Pieter
     
  6. HiHiHi

    HiHiHi Guest

    man i can't thank you enough.. thanks a lot.. keep up the good work bro.. people like me appreciate the help you are offering on these forums..good luck and don't go anywhere anytime soon heh..
     
  7. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    hi HiHiHi,

    keep posting.... (ofcourse may you have not so many probz :D )

    Wilders is here always :-*
     
  8. HiHiHi

    HiHiHi Guest

    MY I>E> ACTING SCREWY AGAIN UGH LIKE SOMEONE CONSTENTLY HODLING SHIFT HELP ME?

    Logfile of HijackThis v1.97.7
    Scan saved at 5:19:43 PM, on 2/7/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\QtrgRbne.exe
    C:\WINDOWS\System32\FbtVMy.exe
    C:\Program Files\Beware of Dog\Screaming Broccolii.exe
    C:\Program Files\Winamp3\winamp3.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\Mystik\LOCALS~1\Temp\Rar$EX00.472\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://animelayer.com/forums/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.animelayer.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [34FBMS82#W23LD] C:\WINDOWS\System32\HotElc.exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: Shortcut to ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065756178506
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{72D87886-2146-4BE8-A87B-19A463B807FD}: NameServer = 64.136.28.120 64.136.20.133
     
  9. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hello HiHiHi,

    You are infected with the peper trojan again. Run again the remover Pieter had you download earlier in this thread. Here is the link again in case you have deleted it.

    http://home01.wxs.nl/~kleyn080/uninst.exe

    Reboot and then please run HijackThis and repost another log in case Pieter has any further instructions, or maybe some advice in protecting yourself in the future. Good luck.
     
  10. HiHiHi

    HiHiHi Guest

    here's a fresh copy..

    Logfile of HijackThis v1.97.7
    Scan saved at 4:01:29 PM, on 2/8/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\DOCUME~1\Mystik\LOCALS~1\Temp\Rar$EX00.547\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://animelayer.com/forums/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.animelayer.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\SOYO\HW Monitor\Itesmart.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Mystik\My Documents\Vinh\Programs\framxpro\FreeRAM XP Pro 1.40.exe" -win
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: Shortcut to ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/WSA/shared/cab/x86/MSSecAdv.cab?1065756178506
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab

    thanks
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  12. HiHiHi

    HiHiHi Guest

    thanks man it's working great thanks for everything see ya around
     
Thread Status:
Not open for further replies.