Jump to content


Photo

been at this for over a month, please help


  • Please log in to reply
10 replies to this topic

#1 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 14 July 2004 - 09:57 PM

hello, i think i have smartsearch cws remnatns deep in my system. When running cwshredder it stops during smartsearch scan and pops up windows/new.exe and windows/osojqtv.exe may be part of cws conrol 3? I've been battling this for over a month with no luck. my browser reverts to a solongas website or a here4search website. I delete these file (which open with spybot search and destroy) but they keep coming back. my log goes like this:

Logfile of HijackThis v1.97.7
Scan saved at 10:55:07 PM, on 7/14/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\TD_0005.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.my.yahoo.com
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\05GOPC6960YLA.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7926.3853009259

i just ran ad-aware, cwshredder, and spybot SD

thanks for any help

#2 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 15 July 2004 - 02:44 PM

Hi
Hijack will creates the backups wherever it sits, in your case, in a temp folder. Temp folders get deleted over time and you will lose the backups created there as well as the hijack program..

Can you please create a folder such as C:\hijack\ and then move your 'hijack this.exe ' program and any backups from the old location into the new hijack folder.

Please run hijack and place a check in the following entries.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\05GOPC6960YLA.DLL

O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O15 - Trusted Zone: *.greg-search.com


Close ALL IE. browsers and all other open windows are closed, except hijackthis.,
Then select Fix Checked

These items below in blue can be fixed if you choose, they are unnecessary programs running at start and/or that hog resources: Having hijack fix it does not remove the program, just their start up command.
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Launches common MS Office components to run in the background, hogging resources.

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
Marketing program for MSworks.


If you haven't set these yourself through spybot or some other program then fix them as well.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
If set by Spybot, this entry will block home page from being changed via Tools> internet options.


To unhide hidden files,
  • On desktop doubleclick My Computer and select View and click Details
  • Again select View >Folder Options
  • Under the View tab,
  • Tick show all files
  • Untick hide file extensions for all file types. Select Apply then OK
Restart in Safe mode and open an IE and select Tools> Internet options and delete all temporary internet files and tick "delete offline content"

While still in safe mode, find and delete the following files/folders if they still exist:
C:\WINDOWS\SYSTEM\ windll32.exe <--delete only this file
C:\WINDOWS\SYSTEM\ SYSSTARTUP.EXE <--delete only this file

Reboot your system.
Since there is no Antivirus running on your system, do a free online virus scan and delete anything it finds from:To complete your clean up, do a free online trojan scan as well and delete anything it finds from:Hijack has a newer version, 1.98.
http://209.133.47.12.../HijackThis.exe
Save to hijack folder and post a fresh log from 1.98.

Edited by pfofit, 15 July 2004 - 02:51 PM.


#3 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 July 2004 - 07:36 PM

thank u pfofit, I am working on you directions now. I was unable to find:

R1 - HKCU/software/microsoft/internet explorer/main,search bar = about:blank

R1 - HKCU/software/microsoft/internet explorer/search,searchassistant = about:blank when running hijackthis 1.98?

plus, the homepage that is opening now is C:\WINDOWS\SYSTEM\hp.uti and opens with spybot search and destroy.

when choosing "open with" option for a file, there is a program called blindman that has the same icon as spybot search and destroy does? any thoughts on this?

#4 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 18 July 2004 - 08:49 PM

Hi again.

Ideally the directions were meant to be followed in sequence, with the new hijack being done last. :p
The new version of hijack sees some things differently, so all entries may not be present.

No problem though, just proceed with the rest of the entries you can find and complete the scans, then we can see how things behave..

Remember reboot/restart/safe mode where indicated.

The blindman listing is a new part of spybot 1.3. :thumbsup:

cheers

#5 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 18 July 2004 - 09:46 PM

pfofit,
Good 2 here from you....did i mention.....U RULE!!!!

anyway, i've done everything in order...except updating hijack in the beginning. I still have old version if u want me to run it and delete the specified files?

Trendmicro found some files that it couldn't delete cause they were in use.. should i manually find these and delete them?

Logfile of HijackThis v1.98.0
Scan saved at 10:45:30 PM, on 7/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.my.yahoo.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL


THANK YOU for your time

#6 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 18 July 2004 - 10:25 PM

hi there. Good work.

Keep using 1.98 and lets do a little bit of clean up
Please run hijack and place a check in the following entries.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = ,

R3 - Default URLSearchHook is missing

Close ALL IE. browsers and all other open windows, except hijackthis.,
Then select Fix Checked

This item, means you have something disabled in ms config. Do you know what it is?
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
If your not sure what it is, you can go to Start> Run and type msconfig and hit OK. Under the "General" tab, insure that "Normal startup" is selected.

I suspect that trendmicro found something in the _restore folder.
To clear some of these viruses out, we need to temporarily disable and then reenable system restore.
This will delete all of your restore points and clean some of those uncleanable viruses out.

Clear system restore and set a new restore point (you will lose all your previous restore points, some of which will be infected with the malware we removed).

To disable Windows Me System Restore
Right-click My Computer, and then click Properties.
On the Performance tab click File System.
Select the Troubleshooting tab, and then check Disable System Restore.
Click OK twice. Click Yes, when you are prompted to restart Windows.
Press F8 while the system restarts and select safe mode.
Once in safe mode, delete the files under the _Restore folder

Then reenable System Restore by doing this

To enable Windows Me System Restore
Right-click My Computer, and then click Properties.
On the Performance tab click File System.
Select the Troubleshooting tab, uncheck Disable System Restore.
Click OK twice. Click Yes, when you are prompted to restart Windows

Once completed, to protect your system from being reinfected, please download and install this FREE antivirus program, AVG antivirus from Grisoft.

Have it run a complete scan and report back any issuses along with another fresh log from hijack.

#7 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 19 July 2004 - 05:36 PM

hello again...friend,

i am not quite sure what to delete once i opened the _Restore file, so i'll explain what i saw to you. there were 4 folders:
1. Archive - example inside it FS1414
2. Extract - empty folder
3. Logs - FIFO, RestorePT, Vxdatt9, vxdsfp (all opened with notepad)
4. Temp - example A0129640.CPY (a bunch of files with similiar letter patterns)

Outside of those 4 folders (but visible once I opened _Restore were:

DiskCFG, SRDISKID, MxDMon, DSINFO (all opening with notepad) and MxDMon.CFG that opened with an unknown application.

I think i get the selective startup warning in msconfig because i shut down some applications so my cpu runs faster......good idea?

Thanks again

#8 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 20 July 2004 - 02:36 PM

hi there
You can flush everything in the _restore folder. When you restart after reenabling system restore, windows will start recreating fresh restore points.

Msconfig, let me know what applications you do not want and we can determine their merit and fix in hijack.

Edited by pfofit, 20 July 2004 - 02:37 PM.


#9 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 July 2004 - 09:32 PM

hello again,
I deleted the files in the temp folder of _Restore and ran trend micro again......no viruses were detected after that. Downloaded AVG 6.0 and found 23viruses with them...healed....10 put 13 in vault.

msconfig, I'm kinda cpu-dumb (that said) i'de like to have directcd, realplay, wkcalrem, adapteccreate cd, adaptec direct dc wizard, norton anti-virus, and creative SB live! WDM removed from active running programs (isn't that why their icons show up on the bottom right of desktop....near the time? and if so, doesn't that slow down cpu performance? i don't know

NEW LOG:

Logfile of HijackThis v1.98.0
Scan saved at 10:28:22 PM, on 7/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.my.yahoo.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~1\InkWatch.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://gateway.yahoo.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#10 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 21 July 2004 - 05:01 PM

hello there,
Very good, Interesting that Avg found those 23 after the online scan. Nice feedback.
If you no longer want Norton or it is out of date, you can remove it. However, if you just want to disable it then fix:
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

As you may know, you should not have two Av's running at the same time as they may conflict with each other.
------------------------------------------------
These items below in blue can be fixed if you choose, they are programs that are optional. Having hijack fix an item does not remove the program, just their start up command. If you wish at a later date to have them, they can be restored via hijack through Config> backups.
Please read the details carefully and decide what you would like to keep or disable.

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
System Tray icon for RealPlayer. It will reset itself to the start up list the next time you launch the player. You can stop this from happening by right-clicking on the tray icon and disabling StartCenter via Preferences

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
System tray application for SB Live functions.

O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~1\InkWatch.exe
monitors low ink and asks if you want to buy another cartridge on-line

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
allows you to drag and drop files onto a suitably formatted CD-RW disc. Unless you use this on a frequent basis it isn't required and is available via Start -> Programs

O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
Adaptec Easy CD Creator system tray application

Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
Produces a pop-up reminder of events scheduled using the MS Works Calendar

-------------------------------------------------------
The log look better now.
Below is my standard speech to help keep your system clean.
pfofit

Edited by pfofit, 21 July 2004 - 05:12 PM.


#11 ihatecws

ihatecws

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 21 July 2004 - 08:05 PM

thanks pfofit, your help has been greatly appreciated




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button