hijackthis.log

Discussion in 'adware, spyware & hijack cleaning' started by franchise, Jul 6, 2004.

Thread Status:
Not open for further replies.
  1. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    thanks for taking a look

    Logfile of HijackThis v1.97.7
    Scan saved at 9:00:18 PM, on 7/6/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\EVENTM~1\emservice.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    C:\WINDOWS\System32\LVCOMS.EXE
    C:\windows\system32\regsrv.exe
    C:\WINDOWS\wt\updater\wcmdmgr.exe
    C:\PROGRA~1\MSNMES~1\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\MI3AA1~1\WCESCOMM.EXE
    C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
    C:\WINDOWS\System32\fonroll.exe
    C:\WINDOWS\System32\dbnarme.exe
    C:\mIRC\ircn\SYSTEM\mirc32.exe
    C:\WINDOWS\explorer.exe
    C:\PROGRA~1\AIM95\aim.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Stephen\Desktop\HIJACK~1.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.comcast.net"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\xxd66z2v.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\xxd66z2v.slt\prefs.js)
    O2 - BHO: (no name) - {029CA12C-89C1-46A7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {B9D90B27-AD4A-413A-88CB-3E6DDC10DC2D} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFWShared\weaddon.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [LIU] C:\Program Files\Logitech\QuickCam\RUBICON.EXE
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVCOMS.EXE
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [System Profile] c:\windows\system32\regsrv.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [4.exe] C:\DOCUME~1\stephen\LOCALS~1\temp\4.exe
    O4 - HKLM\..\Run: [mhipwn] C:\WINDOWS\mhipwn.exe
    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\XvbV.exe
    O4 - HKLM\..\Run: [p76X34j] fonroll.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
    O4 - HKCU\..\Run: [Ywp7RQH7g] dbnarme.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AOL Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
    O15 - Trusted Zone: http://www.bestbuy.com
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.346724537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi franchise

    Download the peper fix here. Make sure you are connected to the net and run it. If asked by your firewall for permission to access the net, please grant permission. Reboot and run it a second time while connected to the net.

    Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
    Install by double-clicking on the downloaded file.
    After installing but before running, update Ad-aware by using its Globe icon.
    After updating, shutdown and restart Ad-aware.
    Ad-aware is ready to scan and clean your system following these steps:

    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    "Unload recognized processes during scanning."
    Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    "Let Windows remove files in use after reboot."
    Press "Scan Now"
    Check option "Use Custom scanning options"
    Check option "Activate In-Depth Scan"
    Press "Select drives\folders to scan"
    Select the active partition which is usually C:
    Press "Next" to let Ad-aware scan your drives...
    If it finds "bad" files and registry keys, press "Next" again
    Right-click in that pane and choose "select all"
    Press "next"
    When it asks to remove all checked items, Press "OK"
    Close Ad-aware, reboot your system and go on to Step 2 below.


    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Empty your Temporary Internet Files and history in Internet Options. And clean out your
    %Userprofile%\Local Settings\Temp
    folder. It's a good idea to do that regularly.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Pls. post another log.
     
  3. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    Logfile of HijackThis v1.97.7
    Scan saved at 1:59:22 AM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\EVENTM~1\emservice.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\LVCOMS.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    C:\windows\system32\regsrv.exe
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\QUICKT~1\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\MI3AA1~1\WCESCOMM.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Stephen\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R3 - Default URLSearchHook is missing
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.comcast.net"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\xxd66z2v.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\xxd66z2v.slt\prefs.js)
    O2 - BHO: (no name) - {029CA12C-89C1-46A7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {B9D90B27-AD4A-413A-88CB-3E6DDC10DC2D} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFWShared\weaddon.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [LIU] C:\Program Files\Logitech\QuickCam\RUBICON.EXE
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVCOMS.EXE
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [System Profile] c:\windows\system32\regsrv.exe
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [4.exe] C:\DOCUME~1\stephen\LOCALS~1\temp\4.exe
    O4 - HKLM\..\Run: [mhipwn] C:\WINDOWS\mhipwn.exe
    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\XvbV.exe
    O4 - HKLM\..\Run: [p76X34j] fonroll.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AOL Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
    O15 - Trusted Zone: http://www.bestbuy.com
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.346724537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi franchise

    Check the following items in Hijackthis - close ALL windows\browsers except HIjackthis and cllick "Fix checked":

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/r...&c=3c01&lc=0409

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {029CA12C-89C1-46A7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {B9D90B27-AD4A-413A-88CB-3E6DDC10DC2D} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)

    O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - C:\Program Files\Common Files\PFWShared\weaddon.dll (file missing)

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

    O4 - HKLM\..\Run: [System Profile] c:\windows\system32\regsrv.exe <----- virus?? pls. scan: http://www.kaspersky.com/remoteviruschk.html
    IF virus - pls. check !

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\..\Run: [4.exe] C:\DOCUME~1\stephen\LOCALS~1\temp\4.exe
    O4 - HKLM\..\Run: [mhipwn] C:\WINDOWS\mhipwn.exe
    O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\XvbV.exe
    O4 - HKLM\..\Run: [p76X34j] fonroll.exe

    O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"

    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

    Did you put this one in "trusted zone"?
    O15 - Trusted Zone: http://www.bestbuy.com
    if NOT - pls. check.

    NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    c:\windows\system32\regsrv.exe <------- see above !
    C:\DOCUME~1\stephen\LOCALS~1\temp\4.exe
    C:\WINDOWS\mhipwn.exe
    C:\WINDOWS\System32\XvbV.exe
    C:\Program Files\\MProcessor\mprocessor.exe"

    Then reboot and use AdAware as described :
    HERE

    Then use the Disk Cleanup Utility to empty all your Temp folders.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Problem gone?? And what did the scan find?

    IF virus - pls.Go for free online Virus scans here:

    http://housecall.trendmicro.com/housecall/start_corp.asp
    http://www.pandasoftware.com/activescan/

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.
     
  5. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    here is the new log, getting some errors at startup, going to run a virus scan now

    Logfile of HijackThis v1.97.7
    Scan saved at 10:56:53 AM, on 7/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\PROGRA~1\COMMON~1\AOL\EVENTM~1\emservice.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\WINDOWS\System32\LVCOMS.EXE
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    C:\Program Files\ICQLite\ICQLite.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\QUICKT~1\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\MI3AA1~1\WCESCOMM.EXE
    C:\Documents and Settings\Stephen\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.comcast.net"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\xxd66z2v.slt\prefs.js)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\xxd66z2v.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [LIU] C:\Program Files\Logitech\QuickCam\RUBICON.EXE
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\System32\LVCOMS.EXE
    O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAMIdle.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM95\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\WCESCOMM.EXE"
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AOL Toolbar (HKLM)
    O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ 4.0 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
    O15 - Trusted Zone: http://www.bestbuy.com
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37580.346724537
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
     
  6. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    also getting popups that shouldnt be there when i open IE advertising spyware removal
     
  7. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    getting logonui.exe error when booting

    also runtime error c:\windows\temp\installer.exe
     
  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    did you run the AV on-line scans??
    .............

    Did you run an updated ad aware plus SpybotS&D??
    ...............

    Could you pls. have a look here - is this o.k.?

    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Stephen\Application Data\Mozilla\Profiles\default\xxd66z2v.slt\prefs.js)
    .................

    Found this:

    Go to Start/Run/Regedit and navigate to:

    HKEY LOCAL MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

    In the right pane scroll down to UIHost. Double click it and type this in under Value Data: logonui.exe

    http://www.windowsdailynews.com/2004/0219.html
    .........

    An .exe in temp. files is NO good !!!!!

    Then use the Disk Cleanup Utility to empty all your Temp folders.
     
  9. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    ran both av online scans
    ran updated adaware and spybot

    logonui.exe thing worked, thanks

    emptied temp folders numerous times installer.exe keeps coming back.

    getting errors on these two files during startup:
    wanmpsvc.exe
    directcd.exe
     
  10. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    What did the on-line scan find??

    Maybe you run this "temp.installer" here:http://www.kaspersky.com/remoteviruschk.html

    so we know, with "what" we are dealing.

    What is the EXACT error you are getting with the 2 items??
     
  11. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    online scan did not recognize c:\windows\temp\installer.exe as a virus..

    error i get with it at startup; Buffer Overrun Detected

    just restarted computer again and didnt get errors with those 2 files, however aim.exe crashed
     
  12. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  13. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    spybot found 5 entries of DSO Exploit, 1 entry from Avenue A, Inc., 1 entry from MediaPlex, 1 entry from spyhunter popups.

    "fixed" those problems a couple of times, keep returning.
     
  14. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    You can IGNORE for now the DSO exploits - is a "BUG" in SpybotS&D

    1 entry from Avenue A, Inc., 1 entry from MediaPlex, = are cookies ?

    1 entry from spyhunter popups. ??
     
  15. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    all 3 are cookies
     
  16. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  17. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    i just installed spywareblaster and ms office 2003 pro just started installing out of nowhere
     
  18. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  19. franchise

    franchise Registered Member

    Joined:
    Jul 6, 2004
    Posts:
    11
    found alot of trojans, renamed them and i got an error that important files were renamed and windows wouldnt run properly, insert xp cd 1. so i had to un-rename them
     
  20. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Which trojans did you find?? Did you look for write-ups?? Go via Google !
     
Thread Status:
Not open for further replies.