Jump to content


Photo

Problems with ISTbar, CommonName, etc.


  • This topic is locked This topic is locked
4 replies to this topic

#1 MelKat

MelKat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 May 2004 - 11:54 AM

I need help completely removing ISTbar, CommonName and I am sure several
other types of malware. I followed the instructions in the FAQ, and ran
Ad-Aware and spybot S & D. When I reboot everything comes back. Now I
also have trouble with a Trojan Horse REVOP.C that AVG can find but can't
seem to remove. If anyone has the time to help I would greatly appreciate
it. This is my first posting, I tried deducing what I needed to do from
reading other posts but I am afraid of doing more damage on my own. Please
have patience with my replies I work odd hours.

Here is my Startup List and HiJack Log:


StartupList report, 5/21/2004, 11:01:52 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SnoopFreeSvc.exe
C:\WINNT\System32\SnoopFreeSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\System32\tnyuevh.exe
C:\WINNT\System32\jgdkxuw.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\WINNT\System32\hpdllhost.exe
C:\WINNT\System32\QuikSearch.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\SnoopFreeUI.exe
C:\WINNT\SnoopFreeUI.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINNT\System32\SQsky.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
IgfxTray = C:\WINNT\System32\igfxtray.exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Bart Station = C:\Program Files\ISP50\hta\station.sbrt
PrinTray = C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
LXSUPMON = C:\WINNT\System32\LXSUPMON.EXE RUN
SAITEKAUTOCONFIGURE = C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
SM1BG = C:\WINNT\SM1BG.EXE
nssysconf = C:\WINNT\System32\tnyuevh.exe
hpsysconf1 = C:\WINNT\System32\jgdkxuw.exe
kw3eef76 = rundll32.exe C:\WINNT\System32\kw3eef76.dll,EnableRunDLL32
inetmgr = C:\PROGRA~1\INTERN~2\inetmgr.exe
he3e3fc4 = rundll32.exe C:\WINNT\System32\he3e3fc4.dll,EnableRunDLL32
li01f948 = rundll32.exe C:\WINNT\System32\li01f948.dll,EnableRunDLL32
000hpdllhost = C:\WINNT\System32\hpdllhost.exe
readdb40 = rundll32.exe C:\WINNT\System32\readdb40.dll,EnableRunDLL32
iel2cde8 = rundll32.exe C:\WINNT\System32\iel2cde8.dll,EnableRunDLL32
icdd7ee6 = rundll32.exe C:\WINNT\System32\icdd7ee6.dll,EnableRunDLL32
si91e44b = rundll32.exe C:\WINNT\System32\si91e44b.dll,EnableRunDLL32
wm41a398 = rundll32.exe C:\WINNT\System32\wm41a398.dll,EnableRunDLL32
QuikSearch = C:\WINNT\System32\QuikSearch.exe
PPCRunonce = C:\WINNT\System32\PPCRunOnce.exe
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
Microsoft IIS = C:\WINNT\system32\syshost.exe
SnoopFreeUI = SnoopFreeUI.exe
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
SQInstall = C:\WINNT\System32\SQsky.exe
ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RamBooster = C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINNT\System32\kw3eef76.dll - {00000000-0000-0000-8835-3EFF76BF2657}
(no name) - C:\WINNT\System32\icdd7ee6.dll - {00000000-0000-0000-BFA1-D7EE6696B865}
(no name) - C:\WINNT\System32\wm41a398.dll - {00000000-0000-41a3-98CF-00000000168B}
(no name) - C:\WINNT\System32\iel2cde8.dll - {00000000-0000-47c5-A90F-2CDE8F7638DB}
(no name) - C:\WINNT\System32\he3e3fc4.dll - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09}
(no name) - C:\PROGRA~1\INTERN~2\inetkw.dll - {046D6EA4-15E3-4b27-8010-45BD78A9219E}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\ISP50\bin\BandObject.dll - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINNT\System32\mssecadv.dll
CODEBASE = http://protect.micro...b?1063830139750

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[dldisplay Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ghdlctl.dll
CODEBASE = http://www.gamehouse.com/ghdlctl.cab

[TechToolsActivex.TechTools]
InProcServer32 = C:\WINNT\Downloaded Program Files\TechTools.ocx
CODEBASE = hcp://system/TechTools.CAB

[RdxIE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150...ip/RdxIE601.cab

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[InstallShield International Setup Player]
InProcServer32 = c:\winnt\DOWNLO~1\isetup.dll
CODEBASE = http://www.napster.c...ient/isetup.cab

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[compid Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\gwCID.dll
CODEBASE = http://support.gatew...rvest/gwCID.CAB

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8119.4641782407

[SassCln Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft...ols/SassCln.CAB

[{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}]
CODEBASE = http://install.wildt...lls/install.cab

[View22RTE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\View22RTE.dll
CODEBASE = http://kohler1.view2...s/view22RTE.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\swflash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[{DC187740-46A9-11D5-A815-00B0D0428C0C}]
CODEBASE = http://www.pcpowersc...pcpowerscan.cab

[SDKInstall Class]
InProcServer32 = C:\WINNT\sdkinst.dll
CODEBASE = http://activex.micro...ate/sdkinst.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 10,381 bytes
Report generated in 1.297 seconds



Logfile of HijackThis v1.97.7
Scan saved at 11:03:14 AM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SnoopFreeSvc.exe
C:\WINNT\System32\SnoopFreeSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SM1BG.EXE
C:\WINNT\System32\tnyuevh.exe
C:\WINNT\System32\jgdkxuw.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\WINNT\System32\hpdllhost.exe
C:\WINNT\System32\QuikSearch.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\SnoopFreeUI.exe
C:\WINNT\SnoopFreeUI.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINNT\System32\SQsky.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe
C:\WINNT\System32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINNT\System32\kw3eef76.dll
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icdd7ee6.dll
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\System32\wm41a398.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\iel2cde8.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\System32\he3e3fc4.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINNT\System32\li01f948.dll
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINNT\System32\readdb40.dll
O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINNT\System32\si91e44b.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [nssysconf] C:\WINNT\System32\tnyuevh.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\jgdkxuw.exe
O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINNT\System32\kw3eef76.dll,EnableRunDLL32
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\System32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [000hpdllhost] C:\WINNT\System32\hpdllhost.exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINNT\System32\si91e44b.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [QuikSearch] C:\WINNT\System32\QuikSearch.exe
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\system32\syshost.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SQInstall] C:\WINNT\System32\SQsky.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1063830139750
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8119.4641782407
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...lls/install.cab
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view2...s/view22RTE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.micro...ate/sdkinst.cab


Thanks in advance for any and all assistance. I can tell from looking at other HiJack logs mine is a piece of work.

Edited by MelKat, 23 May 2004 - 08:40 AM.


#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 21 May 2004 - 03:35 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: (no name) - {00000000-0000-0000-8835-3EFF76BF2657} - C:\WINNT\System32\kw3eef76.dll
O2 - BHO: (no name) - {00000000-0000-0000-BFA1-D7EE6696B865} - C:\WINNT\System32\icdd7ee6.dll
O2 - BHO: (no name) - {00000000-0000-41a3-98CF-00000000168B} - C:\WINNT\System32\wm41a398.dll
O2 - BHO: (no name) - {00000000-0000-47c5-A90F-2CDE8F7638DB} - C:\WINNT\System32\iel2cde8.dll
O2 - BHO: (no name) - {000E6ED5-E3FC-4c93-99E9-D38D2A9F9B09} - C:\WINNT\System32\he3e3fc4.dll
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll

O3 - Toolbar: (no name) - {223405EC-01F9-48a2-BDBB-D519913E2765} - C:\WINNT\System32\li01f948.dll
O3 - Toolbar: (no name) - {EFEE6B59-ADDB-40eb-BA2C-AF860F5B42B5} - C:\WINNT\System32\readdb40.dll
O3 - Toolbar: (no name) - {28A19C3E-91E4-4bca-A623-BAF3C43C4F49} - C:\WINNT\System32\si91e44b.dll

O4 - HKLM\..\Run: [nssysconf] C:\WINNT\System32\tnyuevh.exe
O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\System32\jgdkxuw.exe
O4 - HKLM\..\Run: [kw3eef76] rundll32.exe C:\WINNT\System32\kw3eef76.dll,EnableRunDLL32
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKLM\..\Run: [he3e3fc4] rundll32.exe C:\WINNT\System32\he3e3fc4.dll,EnableRunDLL32
O4 - HKLM\..\Run: [li01f948] rundll32.exe C:\WINNT\System32\li01f948.dll,EnableRunDLL32
O4 - HKLM\..\Run: [000hpdllhost] C:\WINNT\System32\hpdllhost.exe
O4 - HKLM\..\Run: [readdb40] rundll32.exe C:\WINNT\System32\readdb40.dll,EnableRunDLL32
O4 - HKLM\..\Run: [iel2cde8] rundll32.exe C:\WINNT\System32\iel2cde8.dll,EnableRunDLL32
O4 - HKLM\..\Run: [icdd7ee6] rundll32.exe C:\WINNT\System32\icdd7ee6.dll,EnableRunDLL32
O4 - HKLM\..\Run: [si91e44b] rundll32.exe C:\WINNT\System32\si91e44b.dll,EnableRunDLL32
O4 - HKLM\..\Run: [wm41a398] rundll32.exe C:\WINNT\System32\wm41a398.dll,EnableRunDLL32
O4 - HKLM\..\Run: [QuikSearch] C:\WINNT\System32\QuikSearch.exe
O4 - HKLM\..\Run: [PPCRunonce] C:\WINNT\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Microsoft IIS] C:\WINNT\system32\syshost.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [SQInstall] C:\WINNT\System32\SQsky.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.c...ient/isetup.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...lls/install.cab

Reboot, and delete

files
C:\WINNT\System32\tnyuevh.exe
C:\WINNT\System32\jgdkxuw.exe
C:\WINNT\System32\kw3eef76.dll
C:\Program Files\INTERN~2\inetmgr.exe
C:\WINNT\System32\he3e3fc4.dll
C:\WINNT\System32\li01f948.dll
C:\WINNT\System32\hpdllhost.exe
C:\WINNT\System32\readdb40.dll
C:\WINNT\System32\iel2cde8.dll
C:\WINNT\System32\icdd7ee6.dll
C:\WINNT\System32\si91e44b.dll
C:\WINNT\System32\wm41a398.dll
C:\WINNT\System32\QuikSearch.exe
C:\WINNT\system32\syshost.exe
C:\WINNT\System32\SQsky.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if the problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 MelKat

MelKat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 22 May 2004 - 08:20 AM

Dave38,

I did everything you said and I can tell my computer is running smoother, thank you very much.

The only problem I had was being unable to remove C:\Program Files\INTERN~2\inetmgr.exe. I kept getting an error message "Cannot delete inetmgr: Access Denied". Is it possible to delete this in a DOS window without damaging anything or can it be done in Safe Mode?

Here is my new Startup List and HiJack Log:

StartupList report, 5/22/2004, 7:44:30 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SM1BG.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Hot Key Kbd 9910 Daemon = SK9910DM.EXE
GWMDMMSG = GWMDMMSG.exe
IgfxTray = C:\WINNT\System32\igfxtray.exe
HotKeysCmds = C:\WINNT\System32\hkcmd.exe
Keyboard Preload Check = C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
GWMDMpi = C:\WINNT\GWMDMpi.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Bart Station = C:\Program Files\ISP50\hta\station.sbrt
PrinTray = C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
LXSUPMON = C:\WINNT\System32\LXSUPMON.EXE RUN
SAITEKAUTOCONFIGURE = C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
SM1BG = C:\WINNT\SM1BG.EXE
AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
ashMaiSv = C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
inetmgr = C:\PROGRA~1\INTERN~2\inetmgr.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

RamBooster = C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\INTERN~2\inetkw.dll - {046D6EA4-15E3-4b27-8010-45BD78A9219E}
(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\ISP50\bin\BandObject.dll - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINNT\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINNT\System32\mssecadv.dll
CODEBASE = http://protect.micro...b?1063830139750

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.syma...bin/AvSniff.cab

[dldisplay Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\ghdlctl.dll
CODEBASE = http://www.gamehouse.com/ghdlctl.cab

[TechToolsActivex.TechTools]
InProcServer32 = C:\WINNT\Downloaded Program Files\TechTools.ocx
CODEBASE = hcp://system/TechTools.CAB

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[compid Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\gwCID.dll
CODEBASE = http://support.gatew...rvest/gwCID.CAB

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8119.4641782407

[SassCln Object]
InProcServer32 = C:\WINNT\Downloaded Program Files\SassCln.dll
CODEBASE = http://www.microsoft...ols/SassCln.CAB

[View22RTE Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\View22RTE.dll
CODEBASE = http://kohler1.view2...s/view22RTE.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.syma...n/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\swflash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

[{DC187740-46A9-11D5-A815-00B0D0428C0C}]
CODEBASE = http://www.pcpowersc...pcpowerscan.cab

[SDKInstall Class]
InProcServer32 = C:\WINNT\sdkinst.dll
CODEBASE = http://activex.micro...ate/sdkinst.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
End of report, 8,324 bytes
Report generated in 4.828 seconds




Logfile of HijackThis v1.97.7
Scan saved at 7:46:54 AM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\SM1BG.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\INTERN~2\inetmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\INTERN~2\inetsvc.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts
O2 - BHO: (no name) - {046D6EA4-15E3-4b27-8010-45BD78A9219E} - C:\PROGRA~1\INTERN~2\inetkw.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SAITEKAUTOCONFIGURE] C:\Program Files\Saitek\Saitek Gaming Extensions\saicnfig.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe
O4 - HKCU\..\Run: [RamBooster] C:\PROGRA~1\RAMBOO~1\RAMBOO~1.EXE
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.micro...b?1063830139750
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gatew...rvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8119.4641782407
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft...ols/SassCln.CAB
O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://kohler1.view2...s/view22RTE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.micro...ate/sdkinst.cab



While I was deleting all the files from the System32 file, I noticed several other programs that looked questionable. I performed a search inclusive of the time frame I believe most of this junk got into the computer system and here is a list of what it found:
ai_loader.exe
Aischk.exe
Aisysus.exe
Bischk.exe
Bisys.exe
Ez032304.exe
Ezschk.exe
Ezsys.exe
Ielreg.exe
Inetkw.exe
inetkwschk.exe
inetkwsys.exe
kzc.exe
Lzreg.exe
Rdreg.exe
sahagent-skyhorn.exe
Sahschk.exe
Sahsys.exe
Sq2chk.exe
Sqsysnew.exe
Tvm_b5.exe
Tvmschk.exe
Tvmsys.exe

Is it possible for me to delete any of these without damaging my system?

Please get back with me whenever you can, I really appreciate your assistance.


Thanks!
MelKat

Edited by MelKat, 22 May 2004 - 08:24 AM.


#4 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 22 May 2004 - 03:12 PM

some of these can be very sticky!

Reboot into safe mode.(tap F8 as the computer boots, and select safe mode from the menu.)

Run Hijack this again, and fix the entry

O4 - HKLM\..\Run: [inetmgr] C:\PROGRA~1\INTERN~2\inetmgr.exe

Then, WITHOUT rebooting, delete the folder C:\PROGRA~1\INTERN~2.

The other files you list certainly do not appear to be associated with legitimate programs. To check find each one, and inspect the properties to see if is associeated with any of the programs you have installed. If not, delete them. (to the recycle bin), and see if anything is broken, or any error messages appear.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#5 MelKat

MelKat

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 08:48 AM

Dave38,

I did as you advised and everything seems to be back to normal. I ran Ad-Aware and had a clean report. I did remove the suspicious programs with no ill effects so far. Thank you very much for all of your help, I felt like my computer was being held hostage and you "saved" it. I am so glad I found this forum!


Thank You

MelKat




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button