Jump to content


Photo

My Computer Is Going Crazy! HELP!


  • Please log in to reply
27 replies to this topic

#1 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 14 July 2004 - 06:24 PM

Okay, I've read the FAQ.

Lately my computer has been going CRAZY! I delete all spyware, and it comes back! My Internet Explorer homepage changes, I get weird fake search pages, when I just deleted spyware! My computer goes unusually slow... help!

Also, on startup, I get many random error message, but usually these are the ones I get:

C:\Program is missing.
javaob32.exe and netff.exe encountered errors and need to close


Sometimes when you click Send or Don't Send, they keep popping up, and you can't start Windows! And finally, explorer encounters an error and needs to close everytime I start up Windows too!

Can someone please help me? My computer is running so slow and I get pop-ups that make my full-screen programs minimize, only to find a stupid fake pop-up with Windows XP: Clean!!!! Internet Explorer: CLEAN!! SPYWARE: ERROR!!! lol some of these pop-ups crack me up. Can anyone help me? Thanks. :lol: :techsupport: :techsupport:

EDIT: I forgot to add that MIDI files aren't playing and Notepad closes out of nowhere while reading or creating text files without an error message or anything, just boom, it's gone....jeez my computer's messed up....

And here's my log from HijackThis:

Logfile of HijackThis v1.97.7
Scan saved at 4:20:17 PM, on 7/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\netff.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\winbas12.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\addxj.exe
C:\WINDOWS\System32\dxrdiag.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlvga.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jlvga.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jlvga.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jlvga.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jlvga.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jlvga.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {78D4C8D4-B5A0-4883-C6D7-F97D04BE0876} - C:\WINDOWS\system32\sysir.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [apijz32.exe] C:\WINDOWS\system32\apijz32.exe
O4 - HKLM\..\Run: [appnc.exe] C:\WINDOWS\system32\appnc.exe
O4 - HKLM\..\Run: [addxj.exe] C:\WINDOWS\system32\addxj.exe
O4 - HKLM\..\Run: [ipny.exe] C:\WINDOWS\system32\ipny.exe
O4 - HKLM\..\Run: [sysnv.exe] C:\WINDOWS\system32\sysnv.exe
O4 - HKLM\..\Run: [winxa.exe] C:\WINDOWS\system32\winxa.exe
O4 - HKLM\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [nettr.exe] C:\WINDOWS\system32\nettr.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [QuidditchWorldCupSnitchCluster] C:\Program Files\Desktop Golden Snitch US\skinkers.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKLM\..\RunOnce: [msrh.exe] C:\WINDOWS\system32\msrh.exe
O4 - HKLM\..\RunOnce: [javayv.exe] C:\WINDOWS\system32\javayv.exe
O4 - HKLM\..\RunOnce: [javaqc.exe] C:\WINDOWS\javaqc.exe
O4 - HKLM\..\RunOnce: [msoy.exe] C:\WINDOWS\msoy.exe
O4 - HKLM\..\RunOnce: [addwn32.exe] C:\WINDOWS\addwn32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [nttm32.exe] C:\WINDOWS\nttm32.exe
O4 - HKLM\..\RunOnce: [javaac32.exe] C:\WINDOWS\system32\javaac32.exe
O4 - HKLM\..\RunOnce: [sdkwn.exe] C:\WINDOWS\sdkwn.exe
O4 - HKLM\..\RunOnce: [ipzr32.exe] C:\WINDOWS\ipzr32.exe
O4 - HKLM\..\RunOnce: [mfchf.exe] C:\WINDOWS\system32\mfchf.exe
O4 - HKLM\..\RunOnce: [addmx.exe] C:\WINDOWS\addmx.exe
O4 - HKLM\..\RunOnce: [d3nc.exe] C:\WINDOWS\d3nc.exe
O4 - HKLM\..\RunOnce: [apihw.exe] C:\WINDOWS\system32\apihw.exe
O4 - HKLM\..\RunOnce: [apioq.exe] C:\WINDOWS\system32\apioq.exe
O4 - HKLM\..\RunOnce: [apicj.exe] C:\WINDOWS\system32\apicj.exe
O4 - HKLM\..\RunOnce: [netqh32.exe] C:\WINDOWS\netqh32.exe
O4 - HKLM\..\RunOnce: [ipys.exe] C:\WINDOWS\system32\ipys.exe
O4 - HKLM\..\RunOnce: [crrk.exe] C:\WINDOWS\system32\crrk.exe
O4 - HKLM\..\RunOnce: [d3wy.exe] C:\WINDOWS\system32\d3wy.exe
O4 - HKLM\..\RunOnce: [mfczh32.exe] C:\WINDOWS\mfczh32.exe
O4 - HKLM\..\RunOnce: [mfcll32.exe] C:\WINDOWS\mfcll32.exe
O4 - HKLM\..\RunOnce: [mfcwq.exe] C:\WINDOWS\system32\mfcwq.exe
O4 - HKLM\..\RunOnce: [javaob32.exe] C:\WINDOWS\javaob32.exe
O4 - HKLM\..\RunOnce: [atliv32.exe] C:\WINDOWS\system32\atliv32.exe
O4 - HKLM\..\RunOnce: [mshc.exe] C:\WINDOWS\system32\mshc.exe
O4 - HKLM\..\RunOnce: [nettw.exe] C:\WINDOWS\system32\nettw.exe
O4 - HKLM\..\RunOnce: [netol32.exe] C:\WINDOWS\system32\netol32.exe
O4 - HKLM\..\RunOnce: [ipxi.exe] C:\WINDOWS\system32\ipxi.exe
O4 - HKLM\..\RunOnce: [d3ib32.exe] C:\WINDOWS\system32\d3ib32.exe
O4 - HKLM\..\RunOnce: [sdkzt.exe] C:\WINDOWS\sdkzt.exe
O4 - HKLM\..\RunOnce: [iegx.exe] C:\WINDOWS\system32\iegx.exe
O4 - HKLM\..\RunOnce: [sdksm.exe] C:\WINDOWS\system32\sdksm.exe
O4 - HKLM\..\RunOnce: [mswk.exe] C:\WINDOWS\mswk.exe
O4 - HKLM\..\RunOnce: [appik32.exe] C:\WINDOWS\appik32.exe
O4 - HKLM\..\RunOnce: [javakw32.exe] C:\WINDOWS\javakw32.exe
O4 - HKLM\..\RunOnce: [addma32.exe] C:\WINDOWS\addma32.exe
O4 - HKLM\..\RunOnce: [atlah32.exe] C:\WINDOWS\atlah32.exe
O4 - HKLM\..\RunOnce: [d3lv32.exe] C:\WINDOWS\d3lv32.exe
O4 - HKLM\..\RunOnce: [iekn.exe] C:\WINDOWS\system32\iekn.exe
O4 - HKLM\..\RunOnce: [ntqm.exe] C:\WINDOWS\system32\ntqm.exe
O4 - HKLM\..\RunOnce: [crmc.exe] C:\WINDOWS\system32\crmc.exe
O4 - HKLM\..\RunOnce: [winzg.exe] C:\WINDOWS\system32\winzg.exe
O4 - HKLM\..\RunOnce: [ntbf32.exe] C:\WINDOWS\ntbf32.exe
O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\system32\netag.exe
O4 - HKLM\..\RunOnce: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\RunOnce: [addnj32.exe] C:\WINDOWS\system32\addnj32.exe
O4 - HKLM\..\RunOnce: [sdkja32.exe] C:\WINDOWS\sdkja32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtm_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopet...ne/neoblue5.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyo...m/joyonpack.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\svchost.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.co...v45/yacscom.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/b...bleLauncher.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.co...erstarTeleX.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.co...hedLotTeleX.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7494.3085300926
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...stx/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.14/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test...est/tt_test.cab

Please help! Thanks!

Edited by KevRus, 15 July 2004 - 12:49 AM.


#2 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 14 July 2004 - 11:53 PM

bump-I really need help please. :huh: :blink: :techsupport:

#3 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 11:46 AM

Will anyone please reply to me?

#4 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 01:11 PM

I'm sorry, I know I'm not supposed to bump so much, but it's been a while now and no one has replied to me. Is it because I have a huge problem? Can't anyone please at least reply to me? :-/ Please help me!

#5 Damsel in Distress

Damsel in Distress

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 01:59 PM

hi,

I am by no means an expert. But from what I know I would suggest running both AdAware and Spybot Search and Destroy if you have not already done so. You can probably find links for them in others posts if you're unable to find them.

I am also having computer difficulty...unable to connect to the internet at all, it's awful. Someone who replied to me sent me this link: http://vil.nai.com/vil/stinger/ on this webpage is a virus scan and removal tool which searches for many viruses at once and might be able to help you.

Your problem also sounds to me like it might be related to the CWS virus, although I'm not sure. You might want to research that possibility through this forum and others posts and by searching.

After doing anything, post a new log.

Good luck.

Sincerely,
Damsel in Distress

#6 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 03:01 PM

Okay, thanks I've been scanning for viruses the past hour, it's almost done. And it came up with some infected files so I'll check on that. I'll also run the CWShredder and check on that. Thanks for the help. :)

#7 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 03:24 PM

Okay I scanned with CWShredder and my system was clean of CWS.

Norton's scan finished and there were 21 infected files (yikes lol) so I quarantined and deleted them all in safe mode. I get no more error messages on start-up anymore, but Explorer still needs to close for every start-up when the sound icon and networking icons try to load in the taskbar.

Internet Explorer also still has a changed search page and start-up page and I'm still getting pop-ups. I'll run that scan you reccomended to check again. Here's my new HijackThis logfile:

Logfile of HijackThis v1.97.7
Scan saved at 1:14:07 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\netff.exe
C:\WINDOWS\system32\appnc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\winbas12.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINDOWS\System32\dxrdiag.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\utqjz.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://utqjz.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://utqjz.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\utqjz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://utqjz.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\utqjz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {A0E095EB-74FB-9288-E117-E4EB1BCBB1EA} - C:\WINDOWS\syswd32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [apijz32.exe] C:\WINDOWS\system32\apijz32.exe
O4 - HKLM\..\Run: [appnc.exe] C:\WINDOWS\system32\appnc.exe
O4 - HKLM\..\Run: [addxj.exe] C:\WINDOWS\system32\addxj.exe
O4 - HKLM\..\Run: [ipny.exe] C:\WINDOWS\system32\ipny.exe
O4 - HKLM\..\Run: [sysnv.exe] C:\WINDOWS\system32\sysnv.exe
O4 - HKLM\..\Run: [winxa.exe] C:\WINDOWS\system32\winxa.exe
O4 - HKLM\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [nettr.exe] C:\WINDOWS\system32\nettr.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [QuidditchWorldCupSnitchCluster] C:\Program Files\Desktop Golden Snitch US\skinkers.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKLM\..\RunOnce: [msrh.exe] C:\WINDOWS\system32\msrh.exe
O4 - HKLM\..\RunOnce: [javayv.exe] C:\WINDOWS\system32\javayv.exe
O4 - HKLM\..\RunOnce: [javaqc.exe] C:\WINDOWS\javaqc.exe
O4 - HKLM\..\RunOnce: [msoy.exe] C:\WINDOWS\msoy.exe
O4 - HKLM\..\RunOnce: [addwn32.exe] C:\WINDOWS\addwn32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [nttm32.exe] C:\WINDOWS\nttm32.exe
O4 - HKLM\..\RunOnce: [javaac32.exe] C:\WINDOWS\system32\javaac32.exe
O4 - HKLM\..\RunOnce: [winzg.exe] C:\WINDOWS\system32\winzg.exe
O4 - HKLM\..\RunOnce: [ntbf32.exe] C:\WINDOWS\ntbf32.exe
O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\system32\netag.exe
O4 - HKLM\..\RunOnce: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\RunOnce: [addnj32.exe] C:\WINDOWS\system32\addnj32.exe
O4 - HKLM\..\RunOnce: [sdkja32.exe] C:\WINDOWS\sdkja32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKLM\..\RunOnce: [ipfo.exe] C:\WINDOWS\ipfo.exe
O4 - HKLM\..\RunOnce: [atlhw32.exe] C:\WINDOWS\atlhw32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtm_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopet...ne/neoblue5.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyo...m/joyonpack.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/i...etup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.co...v45/yacscom.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/b...bleLauncher.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.co...erstarTeleX.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.co...hedLotTeleX.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7494.3085300926
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...stx/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.14/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...com/WildApp.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test...est/tt_test.cab


Does anyone see anything suspicious? What should I do next?? :wtf:

#8 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 03:32 PM

Have u run Adware yet? If not u should. If that doesn't help, go to the HijackThis! tutorial. It'll give u an idea what your log is detecting and probably a better idea what programs don't need to be running. http://www.spywarein...ogtutorial.html

After that repost ur new log.

giren

#9 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 03:35 PM

I've already scanned and used Adaware and Spybot, I used a tutorial on Hijackthis and got rid of files I didn't need-but I'll check it again and run spybot and adaware again.

#10 Damsel in Distress

Damsel in Distress

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 July 2004 - 03:46 PM

hi again,

good job getting rid of those infected files. one thing that you might want to try is disabling system restore (it will ask you to reboot, do so) before you run the programs to get rid of the spyware. once the spyware is removed you can re-enable the system restore. here are directions for disabling system restore: http://vil.nai.com/v...eSysRestore.htm

also, you might want to run another virus scan with the system restore disabled.

also, are you still having problems with the notepad and midi files?

let me know what's going on...i'm leaving around 6

Sincerely,
:love: Damsel in Distress :love:

#11 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 04:07 PM

Yes, I had system restore disabled for the Norton scan and everything I've been doing. I read that tutorial on HijackThis that was VERY helpful! I'm going to reboot into Normal Mode right now. (I'm in safe mode) There was tons of stuff in Hijackthis I didn't notice before. I'm going to restart right now and let you know if everything is working.

Just one question for now: Whenever I use spybot S&D, after the scan I get this message

Error during check!
Xabot (Ungulfiger Datentyp fur")

Is that a problem, and what's with the German or whatever it is?

Here's my new Hijackthis Log:

Logfile of HijackThis v1.97.7
Scan saved at 2:07:25 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A0E095EB-74FB-9288-E117-E4EB1BCBB1EA} - C:\WINDOWS\syswd32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [apijz32.exe] C:\WINDOWS\system32\apijz32.exe
O4 - HKLM\..\Run: [appnc.exe] C:\WINDOWS\system32\appnc.exe
O4 - HKLM\..\Run: [addxj.exe] C:\WINDOWS\system32\addxj.exe
O4 - HKLM\..\Run: [ipny.exe] C:\WINDOWS\system32\ipny.exe
O4 - HKLM\..\Run: [sysnv.exe] C:\WINDOWS\system32\sysnv.exe
O4 - HKLM\..\Run: [winxa.exe] C:\WINDOWS\system32\winxa.exe
O4 - HKLM\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [nettr.exe] C:\WINDOWS\system32\nettr.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [QuidditchWorldCupSnitchCluster] C:\Program Files\Desktop Golden Snitch US\skinkers.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\RunOnce: [msrh.exe] C:\WINDOWS\system32\msrh.exe
O4 - HKLM\..\RunOnce: [javayv.exe] C:\WINDOWS\system32\javayv.exe
O4 - HKLM\..\RunOnce: [javaqc.exe] C:\WINDOWS\javaqc.exe
O4 - HKLM\..\RunOnce: [msoy.exe] C:\WINDOWS\msoy.exe
O4 - HKLM\..\RunOnce: [addwn32.exe] C:\WINDOWS\addwn32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [nttm32.exe] C:\WINDOWS\nttm32.exe
O4 - HKLM\..\RunOnce: [javaac32.exe] C:\WINDOWS\system32\javaac32.exe
O4 - HKLM\..\RunOnce: [winzg.exe] C:\WINDOWS\system32\winzg.exe
O4 - HKLM\..\RunOnce: [ntbf32.exe] C:\WINDOWS\ntbf32.exe
O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\system32\netag.exe
O4 - HKLM\..\RunOnce: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\RunOnce: [addnj32.exe] C:\WINDOWS\system32\addnj32.exe
O4 - HKLM\..\RunOnce: [sdkja32.exe] C:\WINDOWS\sdkja32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKLM\..\RunOnce: [ipfo.exe] C:\WINDOWS\ipfo.exe
O4 - HKLM\..\RunOnce: [atlhw32.exe] C:\WINDOWS\atlhw32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtm_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopet...ne/neoblue5.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyo...m/joyonpack.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macrom...tor/cabs/sw.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.co...v45/yacscom.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/b...bleLauncher.ocx
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.co...erstarTeleX.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.co...hedLotTeleX.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yaho...rod/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7494.3085300926
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...stx/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.14/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test...est/tt_test.cab


Better?

#12 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 04:22 PM

Alright when I rebooted, I immediately got tons of "registry change" message from Spybot S&D that were all of the homepage that always comes up on Internet Explorer from the spyware!!! So something's STILL on my computer!!! I said deny and to remember my selection, so it didn't change, but something's still on my computer!! Can anyone please help me? I'm still getting pop-ups, and explorer still closes on start-up. What is going on here???

EDIT: Midi's still aren't working too.... :hmmm: I need to be able to listen to midi's for my synth...... :hmmm:

Edited by KevRus, 15 July 2004 - 04:43 PM.


#13 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 04:43 PM

ok, sounds like a major problem. Lets take it one piece at a time.

1. go to http://easyrcon.com/spyremove/ and d/l the program there. That will address the homepage issue. If u can't d/l the program, print/copy the manual instructions. While you're at it, remove all cookies and temp internet files. You will probably have to reset your computer after this. Once u do that, let me know if ur homepage keeps loading the same homepage after u reset it.

2. next, close any program in the task bar that you don't need to be running at the moment. run hijackthis and repost the log.

#14 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 04:44 PM

Alright I'll try that, but I have one problem, everytime I delete temporary internet files, it either takes soooo long, or it freezes on me, because eventually after a while, it just says "not responding....."

#15 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 05:05 PM

Okay, I deleted cookies and temporary internet files in safe mode and it worked fine. But that program you told me to download didn't work at all. I ran it in safe mode and restarted, but I still got messages from Spybot S&D that something was trying to change my registry. (my homepage and search pages) Some of them I can't click Deny Access!

That program didn't work. :mellow: :weep: :oops: I'm so FRUSTRATED!!!!! What else can I dooo?

#16 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 05:10 PM

close Spybot S&D and try rerunnig the program. What the program does is wipes clean the files that spyware is using and replaces them w/ blanks. It then changes them to read only to close the IE loophole that they're exploiting. It may be that Spybot S&D is conflicting w/ the program. If that doesn't work go back to the webpage and follow the manual instructions. Also, update your hijackthis to ver1.98

#17 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 05:30 PM

Okay I did as you said and disabled Spybot S&D and ran the program and it still didn't work.....I upgraded my hijackthis and I'll go check on the manual instructions now...

#18 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 05:39 PM

r u running the program in safe mode?

#19 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 05:44 PM

Yes,


Okay I did the manual instructions and every single thing the manual instructions told me to do were already done. None of the files it said to delete were there. The registry keys it said to delete weren't there either.......

Edited by KevRus, 15 July 2004 - 05:44 PM.


#20 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 05:45 PM

let me see your hijackthis log

#21 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 05:51 PM

Ok

Logfile of HijackThis v1.98.0
Scan saved at 3:50:51 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkjjt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zkjjt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zkjjt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zkjjt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkjjt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zkjjt.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9FE7DEEF-D8F3-5B9A-63B8-39936AA6BF41} - C:\WINDOWS\apijp32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [apijz32.exe] C:\WINDOWS\system32\apijz32.exe
O4 - HKLM\..\Run: [appnc.exe] C:\WINDOWS\system32\appnc.exe
O4 - HKLM\..\Run: [addxj.exe] C:\WINDOWS\system32\addxj.exe
O4 - HKLM\..\Run: [ipny.exe] C:\WINDOWS\system32\ipny.exe
O4 - HKLM\..\Run: [sysnv.exe] C:\WINDOWS\system32\sysnv.exe
O4 - HKLM\..\Run: [winxa.exe] C:\WINDOWS\system32\winxa.exe
O4 - HKLM\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [nettr.exe] C:\WINDOWS\system32\nettr.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunOnce: [msrh.exe] C:\WINDOWS\system32\msrh.exe
O4 - HKLM\..\RunOnce: [javayv.exe] C:\WINDOWS\system32\javayv.exe
O4 - HKLM\..\RunOnce: [javaqc.exe] C:\WINDOWS\javaqc.exe
O4 - HKLM\..\RunOnce: [msoy.exe] C:\WINDOWS\msoy.exe
O4 - HKLM\..\RunOnce: [addwn32.exe] C:\WINDOWS\addwn32.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [nttm32.exe] C:\WINDOWS\nttm32.exe
O4 - HKLM\..\RunOnce: [javaac32.exe] C:\WINDOWS\system32\javaac32.exe
O4 - HKLM\..\RunOnce: [winzg.exe] C:\WINDOWS\system32\winzg.exe
O4 - HKLM\..\RunOnce: [ntbf32.exe] C:\WINDOWS\ntbf32.exe
O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\system32\netag.exe
O4 - HKLM\..\RunOnce: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\RunOnce: [addnj32.exe] C:\WINDOWS\system32\addnj32.exe
O4 - HKLM\..\RunOnce: [sdkja32.exe] C:\WINDOWS\sdkja32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKLM\..\RunOnce: [ipfo.exe] C:\WINDOWS\ipfo.exe
O4 - HKLM\..\RunOnce: [atlhw32.exe] C:\WINDOWS\atlhw32.exe
O4 - HKLM\..\RunOnce: [crml.exe] C:\WINDOWS\crml.exe
O4 - HKLM\..\RunOnce: [d3ct.exe] C:\WINDOWS\system32\d3ct.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [QuidditchWorldCupSnitchCluster] C:\Program Files\Desktop Golden Snitch US\skinkers.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtm_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopet...ne/neoblue5.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyo...m/joyonpack.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.co...v45/yacscom.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/b...bleLauncher.ocx
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.co...erstarTeleX.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.co...hedLotTeleX.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...stx/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.14/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test...est/tt_test.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - (no file)


Explorer still crashes on start-up and midi's don't work too.....

Edited by KevRus, 15 July 2004 - 05:52 PM.


#22 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 06:58 PM

Alright, here we go:

Step 1: D/l AboutBuster.exe (will be used for later)

Make sure u have saved hijackthis in its own folder so that u can save the logs in case u need to restore any system settings. Make sure your computer is set to show hidden files.

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK

Step 2: Have your computer reboot in Safe mode, run hjt while closing everything else.

Step 2: Check the following boxes next to thelines below and have hjt repair/erase these files

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkjjt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zkjjt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zkjjt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zkjjt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zkjjt.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zkjjt.dll/index.html#37049

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)

O2 - BHO: (no name) - {9FE7DEEF-D8F3-5B9A-63B8-39936AA6BF41} - C:\WINDOWS\apijp32.dll

O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Step 4: Find and delete the following files:

C:\WINDOWS\apijp32.dll
C:\Program Files\RSNet\RSEDNClient.exe
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\lsass.exe

Step 5: Run AboutBuster.exe and click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file)

Step 6: Scan w/ Adaware once again and let it clean up any bad files found.

Step 7: Once again clean out any cookies and temporary internet files that may have been reinstalled. Go to Start --> Run ---> cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove, Temporary Files, Temporary Internet Files and Recycle Bin.

Okay reboot to normal mode and run hjt once again. Repost your log here. Hope this fixes it. :gasp:

#23 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 15 July 2004 - 07:04 PM

One change don't delete lsass.exe or the smss.exe. They're in the right place. Sorry for the confusion...its late over here.

giren

#24 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 08:37 PM

Okay I did as you said and it STILL didn't work! now the main page is the same, but the address changed to something like omngo.....I also get tons of pop-ups that have the title "Only the Best" and explorer still crashes and midi's don't work......

During the AboutBuster scan, it said some things were unable to be removed. Do you want the log of it?

Here's new hijack log:

Logfile of HijackThis v1.98.0
Scan saved at 6:35:04 PM, on 7/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\netff.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\winbas12.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\system32\apijz32.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\WINDOWS\System32\dxrdiag.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\omngo.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://omngo.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://omngo.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\omngo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\omngo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://omngo.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref("aim.session.firsttime", false);
user_pref("browser.history.last_page_visited", "http://forums.prospe...Keep Reading>>");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl");
user_pref("browser.startup.homepage_override.mstone", "rv:0.9.4");
user_pref("prefs.converted-to-utf8", true);
user_pref("security.warn_submit_insecure", false);
user_pref("signon.SignonFileName", "78379029.s");
user_pref("timebomb.first_launch_time", "1078378885515000");
user_pref("wallet.caveat", true);
user_pref("intl.accept_languages", "rs1_b70b52e624c, rs2_e4ac4a18221, rs3_7ec70bd751");
user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
(C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\ixs1j5xh.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EDB01F6E-9066-86A1-6292-AB9DCF3AB6EC} - C:\WINDOWS\system32\mskn32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [apijz32.exe] C:\WINDOWS\system32\apijz32.exe
O4 - HKLM\..\Run: [appnc.exe] C:\WINDOWS\system32\appnc.exe
O4 - HKLM\..\Run: [addxj.exe] C:\WINDOWS\system32\addxj.exe
O4 - HKLM\..\Run: [ipny.exe] C:\WINDOWS\system32\ipny.exe
O4 - HKLM\..\Run: [sysnv.exe] C:\WINDOWS\system32\sysnv.exe
O4 - HKLM\..\Run: [winxa.exe] C:\WINDOWS\system32\winxa.exe
O4 - HKLM\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [nettr.exe] C:\WINDOWS\system32\nettr.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunOnce: [msrh.exe] C:\WINDOWS\system32\msrh.exe
O4 - HKLM\..\RunOnce: [javayv.exe] C:\WINDOWS\system32\javayv.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [javaac32.exe] C:\WINDOWS\system32\javaac32.exe
O4 - HKLM\..\RunOnce: [winzg.exe] C:\WINDOWS\system32\winzg.exe
O4 - HKLM\..\RunOnce: [ntbf32.exe] C:\WINDOWS\ntbf32.exe
O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\system32\netag.exe
O4 - HKLM\..\RunOnce: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\RunOnce: [addnj32.exe] C:\WINDOWS\system32\addnj32.exe
O4 - HKLM\..\RunOnce: [sdkja32.exe] C:\WINDOWS\sdkja32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKLM\..\RunOnce: [ipfo.exe] C:\WINDOWS\ipfo.exe
O4 - HKLM\..\RunOnce: [crml.exe] C:\WINDOWS\crml.exe
O4 - HKLM\..\RunOnce: [d3ct.exe] C:\WINDOWS\system32\d3ct.exe
O4 - HKLM\..\RunOnce: [msmp32.exe] C:\WINDOWS\msmp32.exe
O4 - HKLM\..\RunOnce: [appta.exe] C:\WINDOWS\system32\appta.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [QuidditchWorldCupSnitchCluster] C:\Program Files\Desktop Golden Snitch US\skinkers.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: Toki Toki Boom - http://download.game...nts/y/vtm_x.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.game...ts/y/grt5_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {01234567-1234-1234-1234-012345678921} - http://images.neopet...ne/neoblue5.cab
O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyo...m/joyonpack.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {1671869C-25B3-4C80-9446-8AE6111F8765} (MaxisHotDateTeleX Control) - http://thesims.ea.co...otDateTeleX.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.co...v45/yacscom.cab
O16 - DPF: {2DAE59A1-B355-4653-8D33-33A3A8F8C078} (MaxisVacationTeleX Control) - http://thesims.ea.co...cationTeleX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {558958F1-FF22-4A76-8595-79A6B7BA698A} (PuzzleBobbleLauncher Control) - https://www.pbo.jp/b...bleLauncher.ocx
O16 - DPF: {5D1E3FA5-64FF-4387-9418-F1D67AFB2247} (MaxisSuperstarTeleX Control) - http://thesims.ea.co...erstarTeleX.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8629CFEB-C31A-4429-9BB0-8765A8A24FDA} (MaxisUnleashedLotTeleX Control) - http://thesims.ea.co...hedLotTeleX.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.co...FamilyTeleX.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...stx/install.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.14/ttinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot....ownload/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.suppo...ts/SysQuery.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test...est/tt_test.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - (no file)


When will the suffering end!!! :alarm: :techsupport:

Edited by KevRus, 15 July 2004 - 08:38 PM.


#25 KevRus

KevRus

    Member

  • Full Member
  • Pip
  • 44 posts

Posted 15 July 2004 - 11:01 PM

bump....

#26 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 02:16 AM

Post your aboutbuster log and let me take a look at it

#27 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 03:15 AM

also uninstall any toolbar and any freeware in your Add/Remove Programs. This will remove a location where the CWS program spawns from.

#28 giren

giren

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 16 July 2004 - 07:38 AM

Ok, did some research and have some new ideas.

Run hjt and check the following boxes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\omngo.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://omngo.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://omngo.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\omngo.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\omngo.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://omngo.dll/index.html#37049
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EDB01F6E-9066-86A1-6292-AB9DCF3AB6EC} - C:\WINDOWS\system32\mskn32.dll

O4 - HKLM\..\Run: [] C:\Program Files\winbas12.exe
O4 - HKLM\..\Run: [apijz32.exe] C:\WINDOWS\system32\apijz32.exe
O4 - HKLM\..\Run: [appnc.exe] C:\WINDOWS\system32\appnc.exe
O4 - HKLM\..\Run: [addxj.exe] C:\WINDOWS\system32\addxj.exe
O4 - HKLM\..\Run: [ipny.exe] C:\WINDOWS\system32\ipny.exe
O4 - HKLM\..\Run: [sysnv.exe] C:\WINDOWS\system32\sysnv.exe
O4 - HKLM\..\Run: [winxa.exe] C:\WINDOWS\system32\winxa.exe
O4 - HKLM\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - HKLM\..\Run: [nettr.exe] C:\WINDOWS\system32\nettr.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunOnce: [msrh.exe] C:\WINDOWS\system32\msrh.exe
O4 - HKLM\..\RunOnce: [javayv.exe] C:\WINDOWS\system32\javayv.exe
O4 - HKLM\..\RunOnce: [iefk32.exe] C:\WINDOWS\system32\iefk32.exe
O4 - HKLM\..\RunOnce: [javaac32.exe] C:\WINDOWS\system32\javaac32.exe
O4 - HKLM\..\RunOnce: [winzg.exe] C:\WINDOWS\system32\winzg.exe
O4 - HKLM\..\RunOnce: [ntbf32.exe] C:\WINDOWS\ntbf32.exe
O4 - HKLM\..\RunOnce: [netag.exe] C:\WINDOWS\system32\netag.exe
O4 - HKLM\..\RunOnce: [winro.exe] C:\WINDOWS\system32\winro.exe
O4 - HKLM\..\RunOnce: [addnj32.exe] C:\WINDOWS\system32\addnj32.exe
O4 - HKLM\..\RunOnce: [sdkja32.exe] C:\WINDOWS\sdkja32.exe
O4 - HKLM\..\RunOnce: [netff.exe] C:\WINDOWS\system32\netff.exe
O4 - HKLM\..\RunOnce: [ipfo.exe] C:\WINDOWS\ipfo.exe
O4 - HKLM\..\RunOnce: [crml.exe] C:\WINDOWS\crml.exe
O4 - HKLM\..\RunOnce: [d3ct.exe] C:\WINDOWS\system32\d3ct.exe
O4 - HKLM\..\RunOnce: [msmp32.exe] C:\WINDOWS\msmp32.exe
O4 - HKLM\..\RunOnce: [appta.exe] C:\WINDOWS\system32\appta.exe
O4 - HKCU\..\Run: [dxrdiag.exe] C:\WINDOWS\System32\dxrdiag.exe
O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...3.14/ttinst.cab
O16 - DPF: {FF791555-FDAC-43AB-B792-389E4CC0A6E5} (Toontown TestServer Installer ActiveX Control) - http://download.test...est/tt_test.cab

O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - (no file)


Miscellaneous:

O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe - Could be corrupted which may explain your midi sound problem, go to a Compaq support site for help as it is a Compaq svc support issue.


Now in Safe Mode delete the following files if they're still 'round (they may be hidden):

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\msCMTSrvc.exe
C:\WINDOWS\system32\apijz32.exe
C:\Program Files\winbas12.exe
C:\WINDOWS\System32\dxrdiag.exe
C:\Program Files\winbas12.exe
C:\WINDOWS\system32\apijz32.exe
C:\WINDOWS\system32\appnc.exe
C:\WINDOWS\system32\addxj.exe
C:\WINDOWS\system32\ipny.exe
C:\WINDOWS\system32\sysnv.exe
C:\WINDOWS\system32\winxa.exe
C:\WINDOWS\System32\dxrdiag.exe
C:\WINDOWS\system32\nettr.exe
C:\WINDOWS\system32\msrh.exe
C:\WINDOWS\system32\javayv.exe
C:\WINDOWS\system32\iefk32.exe
C:\WINDOWS\system32\javaac32.exe
C:\WINDOWS\system32\winzg.exe
C:\WINDOWS\ntbf32.exe
C:\WINDOWS\system32\netag.exe
C:\WINDOWS\system32\winro.exe
C:\WINDOWS\system32\addnj32.exe
C:\WINDOWS\sdkja32.exe
C:\WINDOWS\system32\netff.exe
C:\WINDOWS\ipfo.exe
C:\WINDOWS\crml.exe
C:\WINDOWS\system32\d3ct.exe
C:\WINDOWS\msmp32.exe
C:\WINDOWS\system32\appta.exe


!!!C:\WINDOWS\explorer.exe!!!
Go to the link below and see if your IE meets one of the descriptions. There they have links to surgically remove the trojan that may be emulating/corrupting your IE.
http://www.sysinfo.o...er=explorer.exe



Now make sure you're disconnected from the internet when you run About:Blank and CWS. Go ahead and fix anything that appears. Once you've done that do a search for any recently created files (as in around the time your computer troubles started) on your computer that is 70,656 bytes. This should be the culprit and delete it as it is the trojan file.


Ok if your computer is still running really slow it may b/c of the files below are corrupted and are using 90% or more of your system memory. You can check in the Windows Task Manager Window.

C:\Program Files\Norton Internet Security\SymProxySvc.exe
In this case go to this thread w/ a solution located at http://www.dslreport...k,...0#10386208

C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
(O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe)
Possible malware installation by this program, see thread below on solution http://discussions.v...threadid=164317

C:\WINDOWS\system32\netff.exe
Again, a corrupted Norton Security file is responsible. Go to the below link for repairs
http://service1.syma...000072411305936


Once you're done, reboot in normal mode and run hjt and post the log so that I can see if you're clean.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button