• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
mafrenz

2020 Search pop ups

17 posts in this topic

hi, my computer has like a thousand pop ups a second.

i have run CWShredder, Adaware, Spybot S&D got all updates from microsoft, but still i am having the pop ups. Atleast after running these my homepage was restored, but stuff keep installing themselves.

My HijackThis Log is as follows:

 

Logfile of HijackThis v1.98.0

Scan saved at 3:33:43 PM, on 7/1/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\jzvhhmgu.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\Lml180.exe

C:\WINNT\System32\Gijzo.exe

C:\Program Files\STC\ClrSchP070.exe

C:\Program Files\Common Files\Slmss\slmss.exe

C:\WINNT\System32\RUNDLL32.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\Program Files\Internet Optimizer\actalert.exe

C:\WINNT\mwsvm.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoast.com/9908/search/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9908/search/r...PCID=default&s=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020search.com/9908/search/r...PCID=default&s=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoast.com/9908/search/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll

O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\WINNT\2020Search2.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\WINNT\2020Search2.dll

O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Wdj7.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [aopfrzim] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe

O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe

O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.11/konti...current/kdx.cab

Share this post


Link to post
Share on other sites

Hello mafrenz,

 

You have a few infections, so let's start cleaning it up.

 

There appears to be some CoolWeb infection. Please make sure you have the latest version of CWShredder.

Download the latest version of CWShredder here:

http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Run it, then click "Fix" (not Scan only) and let it fix all the variants it finds.

Then Reboot.

______

 

Next, download the PeperFix.exe, a tool made by Option^Explicit, from here:

http://downloads.subratam.org/PeperFix.exe

 

Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

You will be prompted to reboot.

Reboot and it will delete the files.

______

 

Then, run AdAware again, and Make Sure You Click the "Check for Updates" Button before starting a scan.

Before you do a Scan, set up AdAware by clicking the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

 

Reboot when done, then please post a new HJT log, some more work will be needed.

Share this post


Link to post
Share on other sites

Ok, made things probably a little easier or harder... dunno.

I read the do-it-yourself tutorial http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm and i managed to reduce some stuff. I am still experiencing problems, can some one look at my log file and tell me whats up.

 

Logfile of HijackThis v1.98.0

Scan saved at 10:03:06 PM, on 7/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\WINNT\System32\wuauclt.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

 

 

any and all help will be highly appreciated.

:wave:

Share this post


Link to post
Share on other sites

Hey Autodad, i din realise there was some help, the time you post this i was trying to figure out the BHOs and HKLMs... all ways, i have the latest version of CWShredder (as of July 1). Will try to run it again and also get the PepperFix and see what happens. You still have room to tell me if i mess up anything though... i think i opted for backup in HijackThis fixes!!! anyways, i will post back in a little bit.

Thanks in advance.

Share this post


Link to post
Share on other sites

oh noooo, they keep coming back and seems worse... i did like Autodad said, and this is my HJT Log.

 

Logfile of HijackThis v1.98.0

Scan saved at 1:19:59 AM, on 7/3/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\winnt\temp\bT4.exe

C:\WINNT\bokja.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\lackboxb.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINNT\System32\ompc.exe

C:\Program Files\Common Files\Slmss\slmss.exe

C:\WINNT\System32\RUNDLL32.exe

C:\WINNT\mwsvm.exe

C:\Program Files\Internet Optimizer\optimize.exe

C:\Program Files\Internet Optimizer\actalert.exe

C:\WINNT\System32\wuauclt.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll

R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll

O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe

O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe

O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe

O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe

O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

 

so i am stuck again... help!!!!!

Share this post


Link to post
Share on other sites

Check these files and click then Fix Checked:

 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll

R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)

 

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll (file missing)

O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe

O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe

O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe

O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe

O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe

Share this post


Link to post
Share on other sites

Hello mafrenz,

 

Let's try the peper fix again.

First download the PeperFix.exe, a tool made by Option^Explicit, from here:

http://downloads.subratam.org/PeperFix.exe

Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

You will be prompted to reboot.

Reboot and it will delete the files.

_____

 

Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/virusinfo/virusscan.aspx.

_____

 

Then click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

And Remove Twain-Tech (if it's there)

_____

 

Open Hijackthis, click Scan, then put a check next to the following entries:

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll

R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)

 

O2 - BHO: (no name) - SOFTWARE - (no file)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll

O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll (file missing)

O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

 

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe

O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe

O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe

O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe

O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe

O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe

O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

 

Then, Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

 

Now, reboot to safe mode (tap F8 while restarting) and delete these Folders:

 

C:\Program Files\Lycos\Sidesearch\

C:\Program Files\SEP\

C:\Program Files\Internet Optimizer\

 

And these Files:

 

c:\installer\id53.exe

C:\WINNT\dozcf.exe

C:\WINNT\bokja.exe

C:\WINNT\System32\jzvhhmgu.exe

C:\WINNT\System32\EsdHJ.exe

C:\WINNT\System32\lackboxb.exe

C:\WINNT\System32\ompc.exe

C:\WINNT\System32\automove.exe

 

C:\winnt\temp\ <----delete all in this folder

 

You may have to show hidden files:

 

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Then, reboot normally, and please post a new HJT log, and let us know if you have any problems.

Edited by Autodad

Share this post


Link to post
Share on other sites

yeah, i did it but after a reboot, they keep coming back.. what am i missing??? please help... the same things come back after reboot... and i cant access swi page at all... here are my logs.

i ran the trendmicro scan and deleted what it suggested, ran pepperfix - it didnt find anything, ran spybot... said it could not clean the following downloadware (2 entries), Network essentials (2 entries) and 2020search (3 entries). ran Adaware: could not clean the following c\winnt\system32\2ndsrch.dll and c\winnt\twainte.dll. heres the HJT log after all this.

Logfile of HijackThis v1.98.0

Scan saved at 12:58:21 PM, on 7/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\System32\et500j.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINNT\System32\dig.exe

C:\WINNT\System32\RUNDLL32.exe

C:\WINNT\System32\wuauclt.exe

C:\WINNT\System32\jzvhhmgu.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1}

- (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} -

C:\WINNT\VoiceIP.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no

file)

O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft

Money\System\Activation.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program

Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [et500j] C:\WINNT\System32\et500j.exe

O4 - HKLM\..\Run: [dig] C:\WINNT\System32\dig.exe

O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor]

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)

-

http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

 

after a reboot without any cleaning or anything there the HJT log

i dont know if there is any difference but i thought i should just post it incase...

Logfile of HijackThis v1.98.0

Scan saved at 1:01:32 PM, on 7/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\ompobjc.exe

C:\WINNT\System32\FCMP11nL.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1}

- (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} -

C:\WINNT\VoiceIP.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no

file)

O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -

C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft

Money\System\Activation.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program

Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [ompobjc] C:\WINNT\System32\ompobjc.exe

O4 - HKLM\..\Run: [FCMP11nL] C:\WINNT\System32\FCMP11nL.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor]

C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)

-

http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

Hi mafrenz,

 

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"

and Remove any of these, if they are there:

 

'DownloadWare'

'NetworkEssentials'

'MediaLoads Enhanced'

 

Then close Control Panel.

_______

 

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these:

 

ompobjc.exe

FCMP11nL.exe

 

Then close Task Manager.

________

 

Open HJT, click Scan, then put a check next to the following entries:

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

 

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)

 

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll

O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)

 

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [ompobjc] C:\WINNT\System32\ompobjc.exe

O4 - HKLM\..\Run: [FCMP11nL] C:\WINNT\System32\FCMP11nL.exe

 

Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

 

Then delete these files:

 

C:\WINNT\aqadcup.exe

C:\WINNT\System32\jzvhhmgu.exe

C:\WINNT\System32\ompobjc.exe

C:\WINNT\System32\FCMP11nL.exe

 

Then, update both Spybot and AdAware, and please run them again.

 

Reboot, and please post a new HJT log, and let us know how you made out.

Share this post


Link to post
Share on other sites

here we go... i could not find the program in the add/remove programs, so i didnt remove anything. the processes were not running either (or i din see them either???). for the HJT i couldnt find ompobjc and fcmp11nl for the HKLM. i also could not find files ompobj.exe and fcmp11nl.exe.

i updated spybot and adaware and ran them... same thing, spybot could not fix same stuff and said i should run it again after restart, i did that and still could not fix the same things i mentioned above. running adaware, it said could not fix something bcoz mfc70.dll was missing, to try to reinstall the program to be able to remove it.

anyways i rebooted my computer (in this same reboot when spybot ran) and here is the HJT Log:

 

Logfile of HijackThis v1.98.0

Scan saved at 12:46:40 AM, on 7/6/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINNT\System32\igpwdm.exe

C:\WINNT\System32\0371.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\HijackThis\HijackThis.exe

C:\WINNT\System32\wuauclt.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe

O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

 

i will try not shut down the computer till next time i hear from you, but i will disconnect from internet. so i can pick up from right here. thanks and have a luvly day. :D

Edited by mafrenz

Share this post


Link to post
Share on other sites

Hi mafrenz,

 

I don't see any signs of those apps running in your log.

Does Spybot tell you where it finds the 3 programs that it can't remove? (if so, please post the paths here)

Try cleaning out your System Restore. (you will lose all your restore points)

 

Turn off System Restore.

1. On the Desktop, right-click My Computer.

2. Click Properties.

3. Click the System Restore tab.

4. Check Turn off System Restore.

5. Click Apply, and then click OK.

6. Restart the computer.

7. Go back to the System restore tab and uncheck that same box

8. Apply.

 

What version of Spybot and AdAware are you using?

Do you have anything disabled in msconfig?

See if you can follow these links for Manual Removal of:

Downloadware

and

2020search

 

Let me know if you need help.

Share this post


Link to post
Share on other sites

I have Spybot S&D 1.3 last updated 2004-06-23 this is what if found when i just ran it again. (and their paths, i checked to see if the files are there, they actually are there). Spybot Log:

 

Network Essentials: User settings (Registry key, fixing failed)

HKEY_USERS\S-1-5-18\Software\Hopper

 

Network Essentials: User settings (Registry key, fixing failed)

HKEY_USERS\.DEFAULT\Software\Hopper

 

DownloadWare: User settings (Registry key, fixing failed)

HKEY_USERS\S-1-5-18\Software\Updater

 

DownloadWare: User settings (Registry key, fixing failed)

HKEY_USERS\.DEFAULT\Software\Updater

 

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-21-3433162778-4282951562-813958858-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Registry change, fixed)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

 

--- Spybot - Search && Destroy version: 1.3 ---

2004-06-16 Includes\Cookies.sbi

2004-06-16 Includes\Dialer.sbi

2004-06-17 Includes\Hijackers.sbi

2004-06-16 Includes\Keyloggers.sbi

2004-05-12 Includes\LSP.sbi

2004-06-16 Includes\Malware.sbi

2004-06-16 Includes\Revision.sbi

2004-06-16 Includes\Security.sbi

2004-06-16 Includes\Spybots.sbi

2004-06-16 Includes\Tracks.uti

2004-06-16 Includes\Trojans.sbi

 

when i check to fix problem, it fixes all the DSO Exploits and says to fix the rest after reboot. after reboot, say cant fix them because they are running in memory so reboot and will be fixed after reboot. i think this might go on forever.. i dint try past three reboots.

 

I dont know if any of this says what version of Adaware i have but its the only info i could find that relates to versions

Reference file loaded:

Reference Number : 01R328 06.07.2004

Internal build : 260

File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref

Total size : 1289414 Bytes

Signature data size : 1268789 Bytes

Reference data size : 20561 Bytes

Signatures total : 28175

Target categories : 10

Target families : 512

 

I did the system restore shut off and rebooted.

I dont have anything disabled in msconfig...(or atleast non that i know of)

I tried manual removal of the programs, files are not there.

 

any more ideas??? I will try to use the computer and see any further outcome. Let me know if there is anything else i need to do.

Share this post


Link to post
Share on other sites

Hi mafrenz,

 

Let's try this. You still have some random files showing in your running processes.

The files keep changing with each log, so you will have to go to Task Manager and 'End Task' on them, then fix them in HJT, then delete the files. Then without rebooting, run Spybot and AdAware.

 

The random files in your latest log are Under this entry in HJT:

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe <------This is Not the random one

O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe <-----This Is Random

O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe <-----This Is Random

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe <----this is Not random

 

You will then go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these:

igpwdm.exe

and

0371.exe

Then close Task Manager.

 

Next, fix these 2 entries in HijackThis:

 

O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe

O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe

 

Then find and delete those files.

 

Now, without rebooting, run Spybot and AdAware, and see if it cleans them up.

 

*********

So notice the patterns for the random files from your above logs. All the random files are after this entry:

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

And Before this one:

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

 

(random files to fix in red)

 

Last Log:

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe

O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

________

 

4th Log:

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [ompobjc] C:\WINNT\System32\ompobjc.exe

O4 - HKLM\..\Run: [FCMP11nL] C:\WINNT\System32\FCMP11nL.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

_________

 

3rd Log:

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [et500j] C:\WINNT\System32\et500j.exe

O4 - HKLM\..\Run: [dig] C:\WINNT\System32\dig.exe

O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

__________

 

2nd Log:

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe

O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe

O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe <--peper

O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe

O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe

O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe

O4 - HKLM\..\Run: [internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

 

Post back with a new log after you try this.

Edited by Autodad

Share this post


Link to post
Share on other sites

i am giving up on IE, will try Mozilla. Just wondering will this interfere with my spyware removals?? and if i dont open it at all, no more will come right? anyways, i will still try to clean this computer.

the logs today are not following the trend you mentioned Autodad... so i couldnt notide the recurring programs, and when i ran HJT the above programs were not available in the log neither in the running processes. I however ran spybot and adaware, getting the same messages that some cant be cleaned until i reboot. i am posting my HJT log here before i reboot and will post another one once i reboot.

 

Logfile of HijackThis v1.98.0

Scan saved at 4:31:37 PM, on 7/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\wjview.exe

C:\WINNT\System32\wcc000cb.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINNT\System32\wuauclt.exe

C:\WINNT\System32\igtabs.exe

C:\WINNT\System32\jzvhhmgu.exe

C:\WINNT\System32\tlanui2n.exe

C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe

C:\WINNT\System32\taskmgr.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [wcc000cb] C:\WINNT\System32\wcc000cb.exe

O4 - HKLM\..\Run: [igtabs] C:\WINNT\System32\igtabs.exe

O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [tlanui2n] C:\WINNT\System32\tlanui2n.exe

O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

and this is after reboot.

 

Logfile of HijackThis v1.98.0

Scan saved at 4:59:19 PM, on 7/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\jzvhhmgu.exe

C:\WINNT\System32\skillt.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\HijackThis\HijackThis.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [skillt] C:\WINNT\System32\skillt.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe

O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

Hi mafrenz, I understand your fustration. As you can see, the random files change on reboot.

We need to kill the random ones first, before fixing them in HJT. See if this way helps you spot the random ones.

 

Looking at all your logs, these are valid running processes,

 

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\WINNT\System32\igfxtray.exe

C:\WINNT\System32\hkcmd.exe

C:\WINNT\GWMDMMSG.exe

C:\Program Files\Palm\HOTSYNC.EXE

C:\WINNT\System32\taskmgr.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\HijackThis\HijackThis.exe

 

In you last log (posted Jul 8 2004, 05:00 PM) these would be the random ones:

 

O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [skillt] C:\WINNT\System32\skillt.exe

O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe

 

In your other log posted today (Jul 8 2004, 04:36 PM ) these are the random ones:

 

O4 - HKLM\..\Run: [wcc000cb] C:\WINNT\System32\wcc000cb.exe

O4 - HKLM\..\Run: [igtabs] C:\WINNT\System32\igtabs.exe

O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKLM\..\Run: [tlanui2n] C:\WINNT\System32\tlanui2n.exe

O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe

 

Notice they are all in your System 32 Folder. Hope that helps you identify them better.

If it does, then follow the above, by ending them Task Manager, fixing them in HJT, then deleteing them

all without rebooting.

If you didn't reboot yet, follow the ones from your latest log.

Share this post


Link to post
Share on other sites

Hi Autodad, I am currently not within reach of that computer, so I cant do anything, but as soon as I get there, I will surely try and let you know. Sorry for any inconvenience.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0