• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
barkman1

Hijacked - CWS? Other?

13 posts in this topic

Had a hijack. Managed to get my home page reset, but system slow and strange popups happening. Ran CWShredder(found 1 thing), latest versions of Adaware and Spybot several times, but don't think I got everything.

 

Looking at HJT log and tried to go through the fix it yourself topics. There are several things that look suspicious, but I'm not sure I know enough to get all the right things without screwing something up.

 

Thanks for your help

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:03:13 AM, on 7/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\JHU-APL VPN Client\cvpnd.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\etlisrv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\etdsvc.exe

C:\Program Files\Timbuktu Pro\tb2launch.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Timbuktu Pro\minitb2.exe

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\OqjY1.exe

C:\WINDOWS\System32\Ugrx.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HijackThis\HijackThis.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus8l.hpwis.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\minitb2.exe"

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [y] C:\windows\temp\y.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [tqEQ38V] wtsne.exe

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Reyd5kLs.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Entrust/Direct Recovery] "C:\Program Files\Entrust\Direct Intranet\etdirrcv.exe"

O4 - HKCU\..\Run: [c9x4RUZ4Q] blainhin.exe

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Research (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17029ee717b148...ip/RdxIE601.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nds/install.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popc...aploader_v5.cab

Share this post


Link to post
Share on other sites

I have Symantec AV corporate installed on that machine. It said it quarantined two items during the initial hijacking.

Share this post


Link to post
Share on other sites

Ran fresh complete scan with Symantec Anti Virus corporate using latest available virus defs (dated 7/7) - scan came up clean.

 

However, several ads popped up in the background during the scan, despite no other browser windows open at the time, so I'm definately not rid of this thing.

Share this post


Link to post
Share on other sites

Do you play online games? There's a couple of items I may have you remove, but they go with online games.

 

-- LB

Share this post


Link to post
Share on other sites

Occasionally, but not often. If they're trouble, I'm willing to get rid of them. If there's any way to know which things are problematic I'd like to know (so I don't do them again), but feel free to cut away.

Share this post


Link to post
Share on other sites

Go back into HijackThis and, with all browser windows closed, remove the following:

 

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [y] C:\windows\temp\y.exe

O4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [tqEQ38V] wtsne.exe

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\Reyd5kLs.exe

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [c9x4RUZ4Q] blainhin.exe

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/17029ee717b148...ip/RdxIE601.cab

 

WildTangent is considered foistware, so these should be removed as well:

 

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrivers/webi...ave/Install.cab

O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...nds/install.cab

 

Those were the items I had mentioned earlier.

 

You have the peper trojan. Download the uninstaller. When running it be sure to let it have internet access through any software firewalls you may have.

 

Download Peper Uninstaller from here and save it - http://members.shaw.ca/techcd/VB_Projects/PeperFix.exe

Double click on PeperFix.exe, let it run and terminate. (You must be online for the uninstall to be successful).

 

Run it again for good measure.

 

Next, change settings to show hidden files.

 

After that, reboot into safe mode. Restart the computer and hit F8 repeatedly until you hit a menu. Choose Safe mode.

 

Once in safe mode, delete the following files:

 

C:\windows\temp\y.exe

C:\WINDOWS\System32\IEHost.exe

C:\WINDOWS\System32\dp-him.exe

C:\WINDOWS\System32\Reyd5kLs.exe

 

And this folder:

 

C:\Program Files\AutoUpdate

 

Delete these files as well. You'll have to use search to find them.

 

blainhin.exe

wtsne.exe

 

Finally, reboot and post a new log.

 

-- LB

Share this post


Link to post
Share on other sites

Ok, here's the latest.

 

I fixed the entries listed and ran peperfix. Note I had to get this from http://downloads.subratam.org/PeperFix.exe (got the link by searching other posts) as the link you provided said the file did not exist.

 

Reran peperfix after the system rebooted and it came up with no files found the second time.

 

set settings to show hidden files as directed, then went into safe mode to delete the files and had questions/issues:

 

c:\windows\temp\Y.exe found and deleted. There was also a Y.dll in that folder. Should I delete it too?

 

C:\Windows\system32\IE_Host.exe - could not find file. Did a search and the closest files it found were: C:\windows\prefetch\IE_HOST.exe-02F353C1.pf and IE_host.dll in C:Windows\microsoft.net\framework.v1.1.4322

 

C:\Windows\system32\dp-him.exe - could not find file. Search only found a file similar to above in C:\windows\prefetch\

 

C:\Windows\system32\Reyd5kls.exe file not found, but it was in the C:\!peper\ directory.

 

folder C:\program files\autoupdate - not found

 

blainhin.exe and wtsne.exe - no file found. Search only found file in c:windows\prefetch\ similar to files described above (file.exe-########.pf)

 

 

 

the Reyd5kls.exe entry was not in hijack this when I ran it. I now see there appears to be a new entry there (TafqW5mn.exe) in its place. That file is now in the c:\!peper\ directory as well. Should I just remove the O4 entry completely?

 

Is it a problem that I did not find most of the files to delete? some were in the !peper directory, but several were not.

 

Anyway...

 

 

Here is the new Hjt log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:43:36 PM, on 7/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\JHU-APL VPN Client\cvpnd.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\etlisrv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\etdsvc.exe

C:\Program Files\Timbuktu Pro\tb2launch.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Timbuktu Pro\minitb2.exe

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\wuauclt.exe

C:\HijackThis\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus8l.hpwis.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\minitb2.exe"

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\TafqW5mn.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Entrust/Direct Recovery] "C:\Program Files\Entrust\Direct Intranet\etdirrcv.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Research (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popc...aploader_v5.cab

Edited by barkman1

Share this post


Link to post
Share on other sites

Clean out this directory:

 

C:\windows\temp

 

As for those files you couldn't find, don't worry about it.

 

As for this:

 

O4 - HKLM\..\Run: [4S2NSLA3QS#366] C:\WINDOWS\System32\TafqW5mn.exe

 

Go ahead and remove it. The file renamed itself.

 

Reboot and post a new log.

 

-- LB

Share this post


Link to post
Share on other sites

Deleted files in C:\windows\temp

 

Should I also have deleted the subfolders? Since it's the Temp folder I thought everything could be deleted but there were some called "history", "cookies", and "Temporary Internet Files", etc that sounded like they might belong. However, of particular note was one called "AutoUpdate0" (very similar to the folder I couldn't find earlier. It has a setup info file in it. There are also a couple others that look suspicious: one is called "~apropos0" which has a similar setup info file and a couple DLLs (atla.dll, atwa.dll), another is called "~compoundinst0", another is ClrSch which contains FNuninstaller.Ex_exe and FNuninstaller.exe.

There were also two empty folders called WMD and WMFA.

 

 

Here's the latest hjt log. In my uneducated opinion it's looking pretty clean.

 

 

Sorry I'm such a n00b at this. Thanks for all your help!

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:12:06 AM, on 7/10/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\JHU-APL VPN Client\cvpnd.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\WINDOWS\etlisrv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\System32\etdsvc.exe

C:\Program Files\Timbuktu Pro\tb2launch.exe

C:\Program Files\Timbuktu Pro\tb2pro.exe

C:\Program Files\Timbuktu Pro\TNOTIFY.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Timbuktu Pro\minitb2.exe

C:\Program Files\DIGStream\digstream.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wuauclt.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8l.hpwis.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://qus8l.hpwis.com/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Tech\MagicBall\1.2\LWBWHEEL.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\minitb2.exe"

O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Entrust/Direct Recovery] "C:\Program Files\Entrust\Direct Intranet\etdirrcv.exe"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI01DA~1\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Research (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popc...aploader_v5.cab

Share this post


Link to post
Share on other sites

You're log looks clean :)

 

As for those files you had questions about, those were leftovers from ClearSearch and PeopleOnPage infections. I'm assuming they're in one of the temp directories.

Could you give the path of where these files are?

 

I'll see if those other folders (Cookies, History, and Temporary Internet Files) are safe to delete. I suspect Windows will recreate them if they are deleted.

 

Check back tomorrow for info on how to protect yourself from this stuff.

 

-- LB

Share this post


Link to post
Share on other sites

Go ahead and delete the subfolders in C:\Windows\Temp except for Cookies, History, and Temporary Internet Files.

 

I recommend downloading the following programs:

 

SpywareBlaster

 

IE-Spyad

 

MVPS Hosts

 

These will prevent much of the bad stuff from getting on your computer. They're all free.

 

For IE-Spyad and MVPS Hosts, check either at their respective web sites or the Software Update forum here for update announcements.

 

Here's some recommended changes in IE settings that will help protect you.

 

Go to the Tools menu, then choose Internet Options.

 

Click on the Privacy tab and click on the Advanced button.

 

In the box that pops up, check both the Override automatic cookie handling and Always allow session cookies boxes. Set First party cookies to "Allow" and Third party cookies to "Block". Click OK

 

Go to the Security tab & click the Custom Level button.

 

The following ActiveX section settings should be changed as follows:

  • Download signed ActiveX controls: Prompt
  • Download unsigned ActiveX controls: Prompt
  • Initialize and script ActiveX controls not marked as safe: Disable

In the Microsoft VM section, set Java Permissions to "High Safety"

 

In the Miscellaneous section, set Installations of desktop items to "Prompt"

 

Click on the Advanced tab and uncheck both Install on demand items.

 

Click on Apply, then OK

 

-- LB

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please request this by sending the moderating team

an email with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0