Jump to content


Photo

C:\WINDOWS\secure.html


  • Please log in to reply
7 replies to this topic

#1 longboarder77

longboarder77

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 03:12 AM

I've tried everything, Ad aware, Spyware Blaster, Spybot S&D, Spy Sweeper and still that remains my "home page". AGGH!
It keeps coming back, even when I'm moving that file to the recycle bin, it just reappears.
Thanks to anyone for any kind of help.

Here is my "hijack this" log:

Logfile of HijackThis v1.97.7
Scan saved at 10:40:33 AM, on 7/22/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svcinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\reg33.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\toshiba\ivp\netint\netint.exe
C:\WINDOWS\System32\wuauclt.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\DOCUME~1\JM\LOCALS~1\Temp\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Researcher (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.waitsex.com
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab

Edited by longboarder77, 27 July 2004 - 03:15 AM.


#2 njustice

njustice

    Advanced Member

  • Helper
  • PipPipPip
  • 159 posts

Posted 27 July 2004 - 12:06 PM

Hello,

Please download the latest version of 'Hijack This!'. HijackThis 1.98

Please put HJT in it's own permanent folder....for storing important backups!!!

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder.
Put your HijackThis.exe there

Download CWShredder
http://www.downloads.../CWShredder.exe
Run it......press "Fix", follow its prompts & instructions.. press 'Next', and allow it to fix all it finds.

Then.....
Close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items if found, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http:///
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http:///
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\System32\svcinit.exe
O2 - BHO: HTML Source Editor - {086AE192-23A6-48D6-96EC-715F53797E85} - C:\WINDOWS\System32\DReplace.dll
O4 - HKLM\..\Run: [Reg32] C:\WINDOWS\reg33.exe
O15 - Trusted Zone: *.waitsex.com

Click "Fix Checked"...Reboot to SAFE mode (F8 on bootup)
How to start the computer in Safe mode

Show hidden files and folders-->
Show hidden files & folders


and delete the following file in red if found.....
C:\WINDOWS\reg33.exe

reboot.....rescan.......post new log....in this thread.
Please don't ask for help on computer issues by email or Private Message (PM). Keep questions and answers in the forums....help others to learn.

Hijack This Guide --- Ad-Aware --- CWShredder --- HijackThis --- Spybot

Zone Alarm Firewall --- Spywareblaster

How to Go into Safe Mode --- Show Hidden Files --- Peper Trojan Removal Tool

Changing the Hosts File: Keep the Popup Parasites Off --- Turn Off/On Windows XP System Restore

Turn Off Unnecessary XP Services (XP with Service Pack 2) (recommend SAFE configuration)

ASAP Proud member since 2004 Alliance of Security Analysis Professionals

My sites: Pctorium | AmazingDezigns


#3 longboarder77

longboarder77

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 July 2004 - 06:28 PM

First of all, thank for replying to my problem. Unfortunately, I've done everything you've asked (about 15 times) and still that darn C:\WINDOWS\secure.html is there.
1. I created a new folder for the Hijackthis 1.98 version I downloaded.
2. I downloaded CWShredder and fixed all finds
3. I ran only Hijackthis 1.98, and checked (6) of the items you recommended were there. *****by the way, I ran Hijackthis 1.98 several times and every time the unwanteds kept showing up.
4. rebooted in safe mode and changed the hidden files so I could see them.
5 I did not find the red colored C:\WINDOWS\reg33.exe anywhere.

Very frustrating.......thanks again, and if you have any more ideas on how to rid of this stupid infrigement on my computer, that'd be great.

#4 njustice

njustice

    Advanced Member

  • Helper
  • PipPipPip
  • 159 posts

Posted 27 July 2004 - 06:51 PM

Go to Windows Updates and get all critical updates.

Then....

Please delete backups from 1.97 and 1.98....post a new log with version 1.98

Edited by njustice, 27 July 2004 - 09:35 PM.

Please don't ask for help on computer issues by email or Private Message (PM). Keep questions and answers in the forums....help others to learn.

Hijack This Guide --- Ad-Aware --- CWShredder --- HijackThis --- Spybot

Zone Alarm Firewall --- Spywareblaster

How to Go into Safe Mode --- Show Hidden Files --- Peper Trojan Removal Tool

Changing the Hosts File: Keep the Popup Parasites Off --- Turn Off/On Windows XP System Restore

Turn Off Unnecessary XP Services (XP with Service Pack 2) (recommend SAFE configuration)

ASAP Proud member since 2004 Alliance of Security Analysis Professionals

My sites: Pctorium | AmazingDezigns


#5 longboarder77

longboarder77

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 July 2004 - 01:46 AM

Here's the new log after I updated all the goods from microsoft.
That doggone....... C:\WINDOWS\secure.html......is still there :-(
hope this helps......
thanks



Logfile of HijackThis v1.98.0
Scan saved at 8:42:47 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\bqdeiq.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JM\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hotmail.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.hotmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA880F} - C:\WINDOWS\EliteBar\EliteBar version 35.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System32] C:\WINDOWS\system.exe
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [Atari Launcher 2] C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [sr64] C:\Documents and Settings\JM\Application Data\Microsoft\sr64\ckafqack.exe
O4 - HKCU\..\Run: [Lxunnujm] C:\WINDOWS\System32\bqdeiq.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\MSERO.DLL

#6 Merijn

Merijn

    Coding monkey

  • Developer
  • PipPipPipPip
  • 260 posts

Posted 29 July 2004 - 07:08 AM

longboarder77, possibly the files are being reinstalled from a hidden service.

Can you open the Services list (Start, Run, SERVICES.MSC) and search for:
Network Security Service
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service
Swartax

If you see any of these, select them and click 'Stop service', then try above fixes again.

If you see none of them, post the complete list: go into HijackThis, config, misc tools, check 'include minor sections' and hit 'Generate StartupList'. Post that here please.

#7 longboarder77

longboarder77

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 July 2004 - 01:48 PM

Thanks Merijn,
I only saw Remote Procedure Call (RPC) The service was already started and won't allow me to stop. There is also an (RPC) Locater (which is off), but no (RPC) Helper.

So.......
Here's the "generate StartupList".

StartupList report, 7/29/2004, 8:40:57 AM
StartupList version: 1.52.2
Started from : C:\DOCUME~1\JM\LOCALS~1\Temp\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\bqdeiq.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\JM\LOCALS~1\Temp\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\JM\Start Menu\Programs\Startup]
Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
D-Link REG Utility.lnk = ?
hp psc 1000 series.lnk = ?
hpoddt01.exe.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

00THotkey = C:\WINDOWS\System32\00THotkey.exe
000StTHK = 000StTHK.exe
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
nwiz = nwiz.exe /installquiet
Apoint = C:\Program Files\Apoint2K\Apoint.exe
LtMoh = C:\Program Files\ltmoh\Ltmoh.exe
TFncKy = C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 20
TFNF5 = TFNF5.exe
Tpwrtray = TPWRTRAY.EXE
TouchED = C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
ezShieldProtector for Px = C:\WINDOWS\System32\ezSP_Px.exe
Pinger = c:\toshiba\ivp\ism\pinger.exe /run
TkBellExe = C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
mmtask = C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
RoxioEngineUtility = "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RoxioDragToDisc = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
QD FastAndSafe =
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
System32 = C:\WINDOWS\system.exe
AtariBanner = "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
Atari Launcher 2 = C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\System32\ctfmon.exe
sr64 = C:\Documents and Settings\JM\Application Data\Microsoft\sr64\ckafqack.exe
Lxunnujm = C:\WINDOWS\System32\bqdeiq.exe
SpySweeper = C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

FRU Task #Hewlett-Packard#hp psc 1200 series#1083735270.job
Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Registration reminder 1.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[v2cab]
CODEBASE = http://searchmiracle.com/cab/v2cab.cab
OSD = C:\WINDOWS\Downloaded Program Files\OSD79C.OSD

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8196.5213773148

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AOL Connectivity Service: C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Fax: %systemroot%\system32\fxssvc.exe (autostart)
GhostStartService: C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WPA Security Protocol (IEEE 802.1x) v2.2.0.0: System32\DRIVERS\mdc8021x.sys (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Norton AntiVirus Auto Protect Service: C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe (autostart)
Norton Unerase Protection: C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRTPEL: \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Speed Disk service: C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WAN Miniport (ATW) Service: "C:\WINDOWS\wanmpsvc.exe" (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 13,982 bytes
Report generated in 0.391 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#8 longboarder77

longboarder77

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 July 2004 - 05:00 PM

Here's the "generate StartupList




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button