Jump to content


Photo

2020 Search pop ups


  • Please log in to reply
16 replies to this topic

#1 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 July 2004 - 03:43 PM

hi, my computer has like a thousand pop ups a second.
i have run CWShredder, Adaware, Spybot S&D got all updates from microsoft, but still i am having the pop ups. Atleast after running these my homepage was restored, but stuff keep installing themselves.
My HijackThis Log is as follows:

Logfile of HijackThis v1.98.0
Scan saved at 3:33:43 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\jzvhhmgu.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\Lml180.exe
C:\WINNT\System32\Gijzo.exe
C:\Program Files\STC\ClrSchP070.exe
C:\Program Files\Common Files\Slmss\slmss.exe
C:\WINNT\System32\RUNDLL32.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINNT\mwsvm.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://pop.popuptoas...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020se...PCID=default&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.2020se...PCID=default&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://pop.popuptoas...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: TwaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\WINNT\2020Search2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 2020SEARCH2 - {4E7BD74F-2B8D-469E-92C6-CE7EB590A94D} - C:\WINNT\2020Search2.dll
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Wdj7.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [aopfrzim] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [alchem] C:\WINNT\alchem.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [Mwsvm] C:\WINNT\mwsvm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\System32\ms.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish....pfishUpload.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab

#2 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 02 July 2004 - 08:26 PM

Hello mafrenz,

You have a few infections, so let's start cleaning it up.

There appears to be some CoolWeb infection. Please make sure you have the latest version of CWShredder.
Download the latest version of CWShredder here:
http://www.spywarein.../CWShredder.exe
Run it, then click "Fix" (not Scan only) and let it fix all the variants it finds.
Then Reboot.
______

Next, download the PeperFix.exe, a tool made by Option^Explicit, from here:
http://downloads.sub...rg/PeperFix.exe

Click on the PeperFix.exe to launch it.
Click the Find and Fix button.
You will be prompted to reboot.
Reboot and it will delete the files.
______

Then, run AdAware again, and Make Sure You Click the "Check for Updates" Button before starting a scan.
Before you do a Scan, set up AdAware by clicking the gear wheel at the top and check these options:
General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"
Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"
Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."
Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."
Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, then please post a new HJT log, some more work will be needed.

#3 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 02 July 2004 - 10:07 PM

Ok, made things probably a little easier or harder... dunno.
I read the do-it-yourself tutorial http://hometown.aol....al/tutorial.htm and i managed to reduce some stuff. I am still experiencing problems, can some one look at my log file and tell me whats up.

Logfile of HijackThis v1.98.0
Scan saved at 10:03:06 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab


any and all help will be highly appreciated.
:wave:

#4 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 02 July 2004 - 10:12 PM

Hey Autodad, i din realise there was some help, the time you post this i was trying to figure out the BHOs and HKLMs... all ways, i have the latest version of CWShredder (as of July 1). Will try to run it again and also get the PepperFix and see what happens. You still have room to tell me if i mess up anything though... i think i opted for backup in HijackThis fixes!!! anyways, i will post back in a little bit.
Thanks in advance.

#5 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 03 July 2004 - 09:11 AM

oh noooo, they keep coming back and seems worse... i did like Autodad said, and this is my HJT Log.

Logfile of HijackThis v1.98.0
Scan saved at 1:19:59 AM, on 7/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\winnt\temp\bT4.exe
C:\WINNT\bokja.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\lackboxb.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\System32\ompc.exe
C:\Program Files\Common Files\Slmss\slmss.exe
C:\WINNT\System32\RUNDLL32.exe
C:\WINNT\mwsvm.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\WINNT\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe
O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe
O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe
O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe
O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Sidesearch - {000007C6-17DF-4438-92A4-DE5537471BA3} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab

so i am stuck again... help!!!!!

#6 Baris

Baris

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 July 2004 - 10:02 AM

Check these files and click then Fix Checked:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)


O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll (file missing)
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll


O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe
O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe
O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe
O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe
O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe


#7 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 03 July 2004 - 07:00 PM

Hello mafrenz,

Let's try the peper fix again.
First download the PeperFix.exe, a tool made by Option^Explicit, from here:
http://downloads.sub...rg/PeperFix.exe
Click on the PeperFix.exe to launch it.
Click the Find and Fix button.
You will be prompted to reboot.
Reboot and it will delete the files.
_____

Next, take a free Online Virus scan at http://housecall.trendmicro.com or http://www3.ca.com/v.../virusscan.aspx.
_____

Then click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
And Remove Twain-Tech (if it's there)
_____

Open Hijackthis, click Scan, then put a check next to the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINNT\System32\cdsm32.dll
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1 - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)

O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem219.dll
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: Sidesearch BHO - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1400.dll
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll (file missing)
O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINNT\System32\SWin32.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem218.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe
O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe
O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe
O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe
O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe
O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"


Then, Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Now, reboot to safe mode (tap F8 while restarting) and delete these Folders:

C:\Program Files\Lycos\Sidesearch\
C:\Program Files\SEP\
C:\Program Files\Internet Optimizer\

And these Files:

c:\installer\id53.exe
C:\WINNT\dozcf.exe
C:\WINNT\bokja.exe
C:\WINNT\System32\jzvhhmgu.exe
C:\WINNT\System32\EsdHJ.exe
C:\WINNT\System32\lackboxb.exe
C:\WINNT\System32\ompc.exe
C:\WINNT\System32\automove.exe

C:\winnt\temp\ <----delete all in this folder

You may have to show hidden files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Then, reboot normally, and please post a new HJT log, and let us know if you have any problems.

Edited by Autodad, 03 July 2004 - 07:11 PM.


#8 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 04 July 2004 - 01:19 PM

yeah, i did it but after a reboot, they keep coming back.. what am i missing??? please help... the same things come back after reboot... and i cant access swi page at all... here are my logs.
i ran the trendmicro scan and deleted what it suggested, ran pepperfix - it didnt find anything, ran spybot... said it could not clean the following downloadware (2 entries), Network essentials (2 entries) and 2020search (3 entries). ran Adaware: could not clean the following c\winnt\system32\2ndsrch.dll and c\winnt\twainte.dll. heres the HJT log after all this.
Logfile of HijackThis v1.98.0
Scan saved at 12:58:21 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\et500j.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\System32\dig.exe
C:\WINNT\System32\RUNDLL32.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\jzvhhmgu.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1}
- (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} -
C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no
file)
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft
Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [et500j] C:\WINNT\System32\et500j.exe
O4 - HKLM\..\Run: [dig] C:\WINNT\System32\dig.exe
O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
-
http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab


after a reboot without any cleaning or anything there the HJT log
i dont know if there is any difference but i thought i should just post it incase...
Logfile of HijackThis v1.98.0
Scan saved at 1:01:32 PM, on 7/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\ompobjc.exe
C:\WINNT\System32\FCMP11nL.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1}
- (no file)
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} -
C:\WINNT\VoiceIP.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no
file)
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} -
C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RealTray] C:\Program
Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft
Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program
Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [ompobjc] C:\WINNT\System32\ompobjc.exe
O4 - HKLM\..\Run: [FCMP11nL] C:\WINNT\System32\FCMP11nL.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
-
http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab

#9 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 05 July 2004 - 11:12 AM

Hi mafrenz,

Click Start, click Control Panel, and then double-click Add or Remove Programs "Change or Remove Programs"
and Remove any of these, if they are there:

'DownloadWare'
'NetworkEssentials'
'MediaLoads Enhanced'

Then close Control Panel.
_______

Go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these:

ompobjc.exe
FCMP11nL.exe


Then close Task Manager.
________

Open HJT, click Scan, then put a check next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)

O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINNT\VoiceIP.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)

O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [ompobjc] C:\WINNT\System32\ompobjc.exe
O4 - HKLM\..\Run: [FCMP11nL] C:\WINNT\System32\FCMP11nL.exe


Then, Close all open Windows and Browsers (have only HJT open) and click "Fix Checked".

Then delete these files:

C:\WINNT\aqadcup.exe
C:\WINNT\System32\jzvhhmgu.exe
C:\WINNT\System32\ompobjc.exe
C:\WINNT\System32\FCMP11nL.exe

Then, update both Spybot and AdAware, and please run them again.

Reboot, and please post a new HJT log, and let us know how you made out.

#10 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 06 July 2004 - 12:53 AM

here we go... i could not find the program in the add/remove programs, so i didnt remove anything. the processes were not running either (or i din see them either???). for the HJT i couldnt find ompobjc and fcmp11nl for the HKLM. i also could not find files ompobj.exe and fcmp11nl.exe.
i updated spybot and adaware and ran them... same thing, spybot could not fix same stuff and said i should run it again after restart, i did that and still could not fix the same things i mentioned above. running adaware, it said could not fix something bcoz mfc70.dll was missing, to try to reinstall the program to be able to remove it.
anyways i rebooted my computer (in this same reboot when spybot ran) and here is the HJT Log:

Logfile of HijackThis v1.98.0
Scan saved at 12:46:40 AM, on 7/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\igpwdm.exe
C:\WINNT\System32\0371.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\HijackThis\HijackThis.exe
C:\WINNT\System32\wuauclt.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe
O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

i will try not shut down the computer till next time i hear from you, but i will disconnect from internet. so i can pick up from right here. thanks and have a luvly day. :D

Edited by mafrenz, 06 July 2004 - 12:55 AM.


#11 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 06 July 2004 - 05:25 AM

Hi mafrenz,

I don't see any signs of those apps running in your log.
Does Spybot tell you where it finds the 3 programs that it can't remove? (if so, please post the paths here)
Try cleaning out your System Restore. (you will lose all your restore points)

Turn off System Restore.
1. On the Desktop, right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check Turn off System Restore.
5. Click Apply, and then click OK.
6. Restart the computer.
7. Go back to the System restore tab and uncheck that same box
8. Apply.

What version of Spybot and AdAware are you using?
Do you have anything disabled in msconfig?
See if you can follow these links for Manual Removal of:
Downloadware
and
2020search

Let me know if you need help.

#12 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 06 July 2004 - 09:08 AM

I have Spybot S&D 1.3 last updated 2004-06-23 this is what if found when i just ran it again. (and their paths, i checked to see if the files are there, they actually are there). Spybot Log:

Network Essentials: User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Software\Hopper

Network Essentials: User settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\Hopper

DownloadWare: User settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Software\Updater

DownloadWare: User settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Software\Updater

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-3433162778-4282951562-813958858-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-06-16 Includes\Cookies.sbi
2004-06-16 Includes\Dialer.sbi
2004-06-17 Includes\Hijackers.sbi
2004-06-16 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-06-16 Includes\Malware.sbi
2004-06-16 Includes\Revision.sbi
2004-06-16 Includes\Security.sbi
2004-06-16 Includes\Spybots.sbi
2004-06-16 Includes\Tracks.uti
2004-06-16 Includes\Trojans.sbi

when i check to fix problem, it fixes all the DSO Exploits and says to fix the rest after reboot. after reboot, say cant fix them because they are running in memory so reboot and will be fixed after reboot. i think this might go on forever.. i dint try past three reboots.

I dont know if any of this says what version of Adaware i have but its the only info i could find that relates to versions
Reference file loaded:
Reference Number : 01R328 06.07.2004
Internal build : 260
File location : C:\Program Files\Lavasoft\Ad-aware 6\reflist.ref
Total size : 1289414 Bytes
Signature data size : 1268789 Bytes
Reference data size : 20561 Bytes
Signatures total : 28175
Target categories : 10
Target families : 512

I did the system restore shut off and rebooted.
I dont have anything disabled in msconfig...(or atleast non that i know of)
I tried manual removal of the programs, files are not there.

any more ideas??? I will try to use the computer and see any further outcome. Let me know if there is anything else i need to do.

#13 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 06 July 2004 - 07:59 PM

Hi mafrenz,

Let's try this. You still have some random files showing in your running processes.
The files keep changing with each log, so you will have to go to Task Manager and 'End Task' on them, then fix them in HJT, then delete the files. Then without rebooting, run Spybot and AdAware.

The random files in your latest log are Under this entry in HJT:
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe <------This is Not the random one
O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe <-----This Is Random
O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe <-----This Is Random
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe <----this is Not random

You will then go to Task Manager (Ctrl + Alt + Delete) and click on "Processes" then "End Process" for these:
igpwdm.exe
and
0371.exe
Then close Task Manager.

Next, fix these 2 entries in HijackThis:

O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe
O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe


Then find and delete those files.

Now, without rebooting, run Spybot and AdAware, and see if it cleans them up.

*********
So notice the patterns for the random files from your above logs. All the random files are after this entry:
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
And Before this one:
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

(random files to fix in red)

Last Log:
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [igpwdm] C:\WINNT\System32\igpwdm.exe
O4 - HKLM\..\Run: [0371] C:\WINNT\System32\0371.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
________

4th Log:
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [ompobjc] C:\WINNT\System32\ompobjc.exe
O4 - HKLM\..\Run: [FCMP11nL] C:\WINNT\System32\FCMP11nL.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
_________

3rd Log:
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [et500j] C:\WINNT\System32\et500j.exe
O4 - HKLM\..\Run: [dig] C:\WINNT\System32\dig.exe
O4 - HKLM\..\Run: [iphytj] C:\WINNT\System32\jzvhhmgu.exe

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
__________

2nd Log:
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [dozcf] C:\WINNT\dozcf.exe
O4 - HKLM\..\Run: [bT4] C:\winnt\temp\bT4.exe
O4 - HKLM\..\Run: [ageltyfcnaq] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\EsdHJ.exe <--peper
O4 - HKLM\..\Run: [bokja] C:\WINNT\bokja.exe
O4 - HKLM\..\Run: [aqadcup] C:\WINNT\aqadcup.exe
O4 - HKLM\..\Run: [lackboxb] C:\WINNT\System32\lackboxb.exe
O4 - HKLM\..\Run: [ompc] C:\WINNT\System32\ompc.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINNT\System32\automove.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

Post back with a new log after you try this.

Edited by Autodad, 06 July 2004 - 09:18 PM.


#14 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2004 - 04:36 PM

i am giving up on IE, will try Mozilla. Just wondering will this interfere with my spyware removals?? and if i dont open it at all, no more will come right? anyways, i will still try to clean this computer.
the logs today are not following the trend you mentioned Autodad... so i couldnt notide the recurring programs, and when i ran HJT the above programs were not available in the log neither in the running processes. I however ran spybot and adaware, getting the same messages that some cant be cleaned until i reboot. i am posting my HJT log here before i reboot and will post another one once i reboot.

Logfile of HijackThis v1.98.0
Scan saved at 4:31:37 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\wjview.exe
C:\WINNT\System32\wcc000cb.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\igtabs.exe
C:\WINNT\System32\jzvhhmgu.exe
C:\WINNT\System32\tlanui2n.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [wcc000cb] C:\WINNT\System32\wcc000cb.exe
O4 - HKLM\..\Run: [igtabs] C:\WINNT\System32\igtabs.exe
O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [tlanui2n] C:\WINNT\System32\tlanui2n.exe
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" "+b1"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#15 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2004 - 05:00 PM

and this is after reboot.

Logfile of HijackThis v1.98.0
Scan saved at 4:59:19 PM, on 7/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\jzvhhmgu.exe
C:\WINNT\System32\skillt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINNT\kdx\KHost.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [skillt] C:\WINNT\System32\skillt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#16 Autodad

Autodad

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 2,118 posts

Posted 08 July 2004 - 06:50 PM

Hi mafrenz, I understand your fustration. As you can see, the random files change on reboot.
We need to kill the random ones first, before fixing them in HJT. See if this way helps you spot the random ones.

Looking at all your logs, these are valid running processes,


Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINNT\System32\taskmgr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\HijackThis\HijackThis.exe

In you last log (posted Jul 8 2004, 05:00 PM) these would be the random ones:

O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [skillt] C:\WINNT\System32\skillt.exe
O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe

In your other log posted today (Jul 8 2004, 04:36 PM ) these are the random ones:

O4 - HKLM\..\Run: [wcc000cb] C:\WINNT\System32\wcc000cb.exe
O4 - HKLM\..\Run: [igtabs] C:\WINNT\System32\igtabs.exe
O4 - HKLM\..\Run: [nzaitiwjyv] C:\WINNT\System32\jzvhhmgu.exe
O4 - HKLM\..\Run: [tlanui2n] C:\WINNT\System32\tlanui2n.exe
O4 - HKCU\..\Run: [rtcres] C:\WINNT\System32\rtcres.exe

Notice they are all in your System 32 Folder. Hope that helps you identify them better.
If it does, then follow the above, by ending them Task Manager, fixing them in HJT, then deleteing them
all without rebooting.
If you didn't reboot yet, follow the ones from your latest log.

#17 mafrenz

mafrenz

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 13 July 2004 - 06:37 PM

Hi Autodad, I am currently not within reach of that computer, so I cant do anything, but as soon as I get there, I will surely try and let you know. Sorry for any inconvenience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button