Jump to content


Photo

re-ocurring problem


  • Please log in to reply
10 replies to this topic

#1 Lewstherin

Lewstherin

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 12:24 PM

Hello all, my favorites have been hijacked by 2 websites. most likely porn. and everytime i restart my computer they come back.

also i change my homepage and it keeps getting changed back to this other one everytime i restart.

i know that http://doc.directweb....net/search.php is the problem but it keeps on comming back when i start up again. that is the site that keeps on hijacking my homepage.
here is my hijackthis log of what it looks like when i startup.

any help would be greatly appreciated.

thanks for anything.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:30 AM, on 7/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://doc.directweb....net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://doc.directweb...h.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://doc.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://doc.directweb...h.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://doc.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://doc.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://doc.directweb....net/search.php
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\SYSTEM\winupd.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://www.ci.woodin...us/cab/Live.cab
O16 - DPF: {6BF52A52-394A-11D3-B153-00C04F79FAA6} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {11010101-1001-1111-1000-110112345678} -

#2 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 12:39 PM

Okay, I'm taking a look at your log now and hopefully I should have a reply up shortly.

#3 Lewstherin

Lewstherin

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 12:42 PM

thank you very much guacamel.

#4 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 12:46 PM

It appears you need to download CWS shredder because you have a CWS infection.

Before you do that download both ad-aware, and spybot S&D.

Here are the links to download both:
adaware download
spybotSD

Don't use them yet though.

Before you use those, we need to get rid of the CWS infection with CWS shredder.

Here is the link to download it:
CWS shredder

Here is a link on how to use it, follow the instructions exactly please:
How to use CWS Shredder

After you run CWS shredder, you'll need to run HJT and have it fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://doc.directweb....net/search.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://doc.directweb...h.net/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://doc.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://doc.directweb...h.net/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://doc.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://doc.directweb....net/search.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://doc.directweb....net/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://doc.directweb....net/search.php
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://doc.directweb....net/search.php


After it has fixed everything, please reboot and run ad-aware and spybot following the instructions above. MAKE SURE YOU UPDATE BOTH, that's crucial.

Once you are done running ad-aware and spybot, please reboot and post an updated HJT log.

edit: forgot to have HJT fix the R1's and R0's

Edited by guacamel, 06 July 2004 - 12:50 PM.


#5 Lewstherin

Lewstherin

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 01:49 PM

sorry, but it just keeps comming back when i restart.

i need a away to stop it from starting up when i restart my computer.

#6 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 01:51 PM

Is CWShredder finding anything?

#7 Lewstherin

Lewstherin

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 01:56 PM

cwshredder finds all of the http://doc.directwebsearch.net/ things and removes them but then once i restart they are right back. and i use cwshredder again and do the same thing over and over.

so its something to do with start up. i think i just need to know where to look to see what programs start then i restart my computer.

#8 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 02:00 PM

Hmm, I think I've found the culprit.

winupd.exe is bad.

Let me write up a fix for it real quick, until then, hold tight.

#9 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 02:06 PM

winupd.exe is this: http://www.trendmicr...Name=PE_BAGLE.N

To automatically remove this malware from your system, please use the Trend Micro System Cleaner.
Then see: "If you are not a Trend Micro customer" (section)
http://www.trendmicr...ownload/dcs.asp



The followin set of instructions is provided by winhelp2002:

First thing to do is ...

Reconfigure Windows Explorer to show Hidden Files:
Open the Windows Explorer Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

Next:

Close all open windows, except for HijackThis place a check in each of the following:
Then click "Fix checked".

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe

Then reboot, on restart, restart in Safe Mode

Start | Run (type) "%temp%" (no quotes)
Completely delete the entire contents of that "temp" folder.

Open Windows Explorer locate and delete the following:

C:\WINDOWS\System32\winupd.exe <--this file
Note: delete any other files mentioned in the above "PE_BAGLE.N" article.

Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button. Under "Log-file detail", select all options.

Click the "Tweaks" button. Under "Scanning Engine", select the following:
1) "Include additional Ad-aware settings in logfile"
2) "Unload recognized processes during scanning."

Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on Proceed to save these Preferences.
Note: make sure that you activate IN-DEPTH scanning before you proceed.

After the above, reboot, rescan with HijackThis and post a fresh log ...



#10 Lewstherin

Lewstherin

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2004 - 03:24 PM

wow, thanks a bunch. that got it to work. im just gonna restart my comp a few times to make sure its working properly.

here is my updated log once my comp is fully started up.

Logfile of HijackThis v1.97.7
Scan saved at 1:20:01 PM, on 7/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_19_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://www.ci.woodin...us/cab/Live.cab
O16 - DPF: {6BF52A52-394A-11D3-B153-00C04F79FAA6} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {11010101-1001-1111-1000-110112345678} -

#11 guacamel

guacamel

    SWI Junkie

  • Retired Staff - Helper
  • PipPipPipPip
  • 288 posts

Posted 06 July 2004 - 03:31 PM

I would also reccomend an online virus scan here:

http://www.pandasoft...n_principal.htm

Also, please run HJT again (with no other windows open) and remove the following entries:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [EarthLink Installer] " /C
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {11010101-1001-1111-1000-110112345678} -


I couldn't find much information on those 016's, but I would fix them anyways because if they are important, they will be re-downloaded the next time you visit that site.

Also, here is an optional fix I would suggest doing:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe


After you fix those items in HJT, please hit ctrl-alt-delete and end the process for ViewMgr.exe and Updreg.exe (if you decided to fix it).

After you end those two taskes, please delete the following files:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Updreg.exe (again, depends on if you choose to fix it)

After you are done, you should hopefully be clean. It would be nice if you could post an updated log after that.

Thanks,
Guac

Edited by guacamel, 06 July 2004 - 05:40 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button