Jump to content


Photo

Crying in CO


  • Please log in to reply
1 reply to this topic

#1 dconway4

dconway4

    Member

  • New Member
  • Pip
  • 1 posts

Posted 02 July 2004 - 11:06 PM

[FONT=Times][SIZE=7]
My IE browser is still being hijacked. Most of the unwanted shortcuts and web addresses were removed when I ran Spybot S&D. However, I cannot load msn.com, yahoo.com, or google.com. Also Spybot S&D still notes 5 DSO Exploit problems and 6 VX2/f problems every time I run it, even though I click "Fix Problem".

I have:

1) read and printed out the FAQ
2) run Spybot S&D
3) run Hijackthis

I received these logs:

Logfile of HijackThis v1.97.7
Scan saved at 9:59:13 PM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\System32\cpoepnkf.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\WINDOWS\System32\savi.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Daniel's IS\DivX Stuff\WinZip\WZQKPICK.EXE
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphiap...501088797639133 (obfuscated)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1AA21971-BC38-5B9D-D753-63550DAC7A4B} - C:\WINDOWS\System32\esrzj.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\explorer.exe
O4 - HKLM\..\Run: [qbrnqhuaxnqf] C:\WINDOWS\System32\cpoepnkf.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [Ntty] C:\WINDOWS\System32\savi.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Daniel's IS\DivX Stuff\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.searchbarcash.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab


StartupList report, 7/2/2004, 10:03:18 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\My

Documents\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft

Shared\VS7Debug\mdm.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\System32\cpoepnkf.exe
C:\WINDOWS\system32\explorer.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Owner\Application Data\eber.exe
C:\WINDOWS\System32\savi.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Daniel's IS\DivX Stuff\WinZip\WZQKPICK.EXE
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My

Documents\HiJackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start

Menu\Programs\Startup]
PowerReg Scheduler.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start

Menu\Programs\Startup]
WinZip Quick Pick.lnk = C:\Daniel's IS\DivX

Stuff\WinZip\WZQKPICK.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
KBD = C:\HP\KBD\KBD.EXE
TkBellExe = "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
ccApp = "c:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
ccRegVfy = "c:\Program Files\Common Files\Symantec

Shared\ccRegVfy.exe"
AlcxMonitor = ALCXMNTR.EXE
PS2 = C:\WINDOWS\system32\ps2.exe
S3TRAY2 = S3tray2.exe
Drag'n'Drop_Autolaunch = "C:\Program Files\Iomega HotBurn

Pro\Autolaunch.exe"
Lexmark X5100 Series = "C:\Program Files\Lexmark X5100

Series\lxbabmgr.exe"
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update

Manager\sgtray.exe" /r
kdx = C:\WINDOWS\kdx\KHost.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe"

-atboottime
WildTangent CDA = RUNDLL32.exe "C:\Program

Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
NvCplDaemon = RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
Explorer = C:\WINDOWS\system32\explorer.exe
qbrnqhuaxnqf = C:\WINDOWS\System32\cpoepnkf.exe
WebRebates0 = "C:\Program Files\Web_Rebates\WebRebates0.exe"
WT GameChannel = C:\Program

Files\WildTangent\Apps\GameChannel.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
Notn = C:\Documents and Settings\Owner\Application

Data\eber.exe
Ntty = C:\WINDOWS\System32\savi.exe
System Soap Pro = C:\PROGRA~1\SYSTEM~1\soap.exe min
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe"

/background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\mxTarget.dll -

{0000607D-D204-42C7-8E46-216055BF9918}
(no name) - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\System32\esrzj.dll -

{1AA21971-BC38-5B9D-D753-63550DAC7A4B}
(no name) - C:\Program Files\Microsoft

Money\System\mnyside.dll -

{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll -

{53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll -

{AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - c:\Program Files\Norton AntiVirus\NavShExt.dll -

{BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - (no file) -

{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{01111F00-3E00-11D2-8470-0060089874ED}]
CODEBASE =

http://supportsoft.a...wnload/tgctlins.

cab

[Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program

Files\ISTactivex.dll
CODEBASE =

http://www.xxxtoolba...0006_regular.ca

b

[Shockwave ActiveX Control]
InProcServer32 =

C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE =

http://fpdownload.ma...e/cabs/director

/swdir.cab

[MediaTicketsInstaller Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\MEDIAT~1.OCX
CODEBASE =

http://www.mt-downlo...tsInstaller.cab

[Shockwave Flash Object]
InProcServer32 =

C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE =

http://download.macr...cabs/flash/swfl

ash.cab

[Secure Delivery]
CODEBASE = http://www.gamespot.com/KDX/kdx.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: SpSubLSP.dll (file MISSING)
Protocol #2: SpSubLSP.dll (file MISSING)
Protocol #3: SpSubLSP.dll (file MISSING)
Protocol #4: SpSubLSP.dll (file MISSING)
Protocol #5: SpSubLSP.dll (file MISSING)
Protocol #21: SpSubLSP.dll (file MISSING)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
System: C:\WINDOWS\system32\system32.dll

--------------------------------------------------
End of report, 8,461 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious

data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if

running on WinNT
/forcent - to include WinNT-only startups even if

running on Win9x
/forceall - to include all Win9x and WinNT startups,

regardless of platform
/history - to list version history only



Not wanting to make my computer any worse than it is, I don't know what to delete next. Any help would be greatly appreciated!!

Thank you for your time and attention.

#2 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 17 July 2004 - 03:30 PM

Hi, dconway4

Print a copy of this topic to make it easier for you to follow the instructions and complete all of the necessary steps.
*
First check for virus at a OnLine services.

Norton/Symantec AntiVirus
On Line check of your computer.
http://security.syma...cv6/default.asp

And/Or

McAfee, Network Security & Management
McAfee, OnLine free Scan
http://us.mcafee.com...lt.asp?cid=9914
*
Second, scan for "Trojan Horses" or also often called Backdoors that opens you PC from inside for attackers
Free utilities are available at:

TrojanHunter
http://www.computerc.../reviews-8.html

a2 Scanner
http://www.emsisoft..../software/free/
*

Remove the other AdAware.

Download Spybot from: http://www.safer-net...p?page=download

1. Install Spybot S&D Version 1.3, accepting the Default Settings

Note: When doing the installation do not "tick" TeaTimer yet. We'll turn that on after we're done. You'll see what I mean during the installation process. It's a small resident program
part of Spybot and works as a prevention for registry changes and some other things.
But if it's running while we're doing fixes it'll pop up warnings about what we want to do
during any manual fixes.

2. Go to Start > Programs >Spybot - Search & Destroy and choose 'Spybot S&D - easy mode'
3. Close ALL windows except Spybot S&D
4. Click the button to 'Search for Updates' and download and install the Updates.
5. Next click the button 'Check for Problems'
6. When Spybot is complete, it will be showing 'RED'
entries 'BLACK' entries and 'GREEN' entries in the window
7. Put a check mark beside the RED entries ONLY.
8. Choose 'Fix Selected Problems' and allow Spybot to fix the RED entries.
9. REBOOT
*
Lets do some clean up with HijackThis.

1 - Close all open Explorer windows and browsers
2 - Run HijackThis
3 - Click on the Scan button and when complete
4 - Put a check beside all of the items listed below if they are still present
5 - Click on the "Fix Checked" button
6 - When complete and all files removed, close the application

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: (no name) - {1AA21971-BC38-5B9D-D753-63550DAC7A4B} - C:\WINDOWS\System32\esrzj.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [qbrnqhuaxnqf] C:\WINDOWS\System32\cpoepnkf.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\eber.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRA~1\SYSTEM~1\soap.exe min

One 04 item of concern to me
O4 - HKCU\..\Run: [Ntty] C:\WINDOWS\System32\savi.exe
If you know what SAVI.EXE is leave it along. If not then look at it's properties and if you cannot identify with known programs let HJT fix it.

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.searchbarcash.com

O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...006_regular.cab

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab[/b]

There are other OPTIONAL ITEMS that you should know about.
You decide it you want to keep them.

You have PowerReg Scheduler in your log. This is a registration reminder that is used
by a number of different companies. It is not needed and some people think that it reports
back to the company about your computer, so I suggest fixing it...
O4 - Startup: PowerReg Scheduler.exe
*
Kontiki I suggest you fix this one also.
C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
http://www.safer-net...ats/240.html]Go to http://www.safer-net...hreats/240.html[/URL] for additional information.
*
WildTangent to be removed at your discretion.
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
Go to http://pestpatrol.co...wildtangent.asp for more information.
*
Close HijackThis.

Need to remove TwainTech if HijackThis did not take care of it.

Reboot, on restart, restart in "Safe Mode".

How To
1 - Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you see the Boot Menu.
2 - When the Windows Advanced Options menu appears, select an option, and then press ENTER.
3 - When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.

a - Go to "Add/Remove Programs" => Uninstall "Twain-Tech".
b - Search for these files and if found delete, twaintech.dll and twaintec.ini
*
While still in Safe Mode.
Remove all folders and files in BOLD if still present.

C:\WINDOWS\System32\cpoepnkf.exe <-- File
C:\WINDOWS\System32\esrzj.dll <--File
C:\Program Files\Web_Rebates\WebRebates0.exe <-- Folder and all files in Web_Rebates folder.
C:\Documents and Settings\Owner\Application Data\eber.exe <-- File
C:\WINDOWS\mxTarget.dll <-- File
C:\PROGRA~1\SYSTEM~1\soap.exe <-- File
C:\WINDOWS\system32\explorer.exe <-- File and make sure it's in folder "System32" and NOT in the "Windows" folder.

C:\WINDOWS\System32\savi.exe <-- Delete if you had verified and deleted the O4 above.
*
Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :
  • SpywareBlaster - It will prevent most spyware from ever being installed.
  • SpywareGuard - It offers realtime protection from spyware installation attempts.
  • IE-Spyad - IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
I also recommend reading this article.
How did I get infected in the first place?
http://forums.net-in...?showtopic=3051

Reboot into normal mode and post a fresh log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button