Jump to content


Photo

wtools


  • Please log in to reply
13 replies to this topic

#1 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 July 2004 - 12:00 AM

hi all,

i have the same problem as dan123456 had - Wtools.
i followed the instructions mmxx66 gave dan123456 but it didn't remove it.
i've gone through the faq and run ad-aware.

this is the stuff i want to get rid of:

WToolsA.exe
WToolsS.exe
WSup.exe

any help would be GREATLY appriciated

here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 1:58:19 PM, on 28/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RealUpdater.Exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\WINDOWS\System32\vwrsjan.exe
C:\WINDOWS\System32\ndeo4I.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Overnet\overnet.exe
C:\Documents and Settings\lkr\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspace.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [_intll] C:\WINDOWS\System32\_intll.exe
O4 - HKLM\..\Run: [akleyo] C:\WINDOWS\System32\akleyo.exe
O4 - HKLM\..\Run: [apiuit] C:\WINDOWS\System32\apiuit.exe
O4 - HKLM\..\Run: [atsrvpsc] C:\WINDOWS\System32\atsrvpsc.exe
O4 - HKLM\..\Run: [bdukk] C:\WINDOWS\System32\bdukk.exe
O4 - HKLM\..\Run: [bemw] C:\WINDOWS\System32\bemw.exe
O4 - HKLM\..\Run: [bghelpd] C:\WINDOWS\System32\bghelpd.exe
O4 - HKLM\..\Run: [bnmpntwd] C:\WINDOWS\System32\bnmpntwd.exe
O4 - HKLM\..\Run: [dbccr32o] C:\WINDOWS\System32\dbccr32o.exe
O4 - HKLM\..\Run: [dcomk] C:\WINDOWS\System32\dcomk.exe
O4 - HKLM\..\Run: [dvdq] C:\WINDOWS\System32\dvdq.exe
O4 - HKLM\..\Run: [enscfgs] C:\WINDOWS\System32\enscfgs.exe
O4 - HKLM\..\Run: [erberosk] C:\WINDOWS\System32\erberosk.exe
O4 - HKLM\..\Run: [fcfiless] C:\WINDOWS\System32\fcfiless.exe
O4 - HKLM\..\Run: [fwnetw] C:\WINDOWS\System32\fwnetw.exe
O4 - HKLM\..\Run: [in32kw] C:\WINDOWS\System32\in32kw.exe
O4 - HKLM\..\Run: [insw] C:\WINDOWS\System32\insw.exe
O4 - HKLM\..\Run: [lipsrvc] C:\WINDOWS\System32\lipsrvc.exe
O4 - HKLM\..\Run: [lntsesst] C:\WINDOWS\System32\lntsesst.exe
O4 - HKLM\..\Run: [M20ENUF] C:\WINDOWS\System32\M20ENUF.exe
O4 - HKLM\..\Run: [mmgr32c] C:\WINDOWS\System32\mmgr32c.exe
O4 - HKLM\..\Run: [netcplci] C:\WINDOWS\System32\netcplci.exe
O4 - HKLM\..\Run: [netcpli] C:\WINDOWS\System32\netcpli.exe
O4 - HKLM\..\Run: [netresi] C:\WINDOWS\System32\netresi.exe
O4 - HKLM\..\Run: [ogmanpr] C:\WINDOWS\System32\ogmanpr.exe
O4 - HKLM\..\Run: [paw] C:\WINDOWS\System32\paw.exe
O4 - HKLM\..\Run: [pcns4r] C:\WINDOWS\System32\pcns4r.exe
O4 - HKLM\..\Run: [pconfigi] C:\WINDOWS\System32\pconfigi.exe
O4 - HKLM\..\Run: [qoa20m] C:\WINDOWS\System32\qoa20m.exe
O4 - HKLM\..\Run: [racert6t] C:\WINDOWS\System32\racert6t.exe
O4 - HKLM\..\Run: [sdpsrvs] C:\WINDOWS\System32\sdpsrvs.exe
O4 - HKLM\..\Run: [siexecm] C:\WINDOWS\System32\siexecm.exe
O4 - HKLM\..\Run: [slookupn] C:\WINDOWS\System32\slookupn.exe
O4 - HKLM\..\Run: [soeacctm] C:\WINDOWS\System32\soeacctm.exe
O4 - HKLM\..\Run: [soert2m] C:\WINDOWS\System32\soert2m.exe
O4 - HKLM\..\Run: [sportsm] C:\WINDOWS\System32\sportsm.exe
O4 - HKLM\..\Run: [svbvm50m] C:\WINDOWS\System32\svbvm50m.exe
O4 - HKLM\..\Run: [svcrt40m] C:\WINDOWS\System32\svcrt40m.exe
O4 - HKLM\..\Run: [timons] C:\WINDOWS\System32\timons.exe
O4 - HKLM\..\Run: [vshelln] C:\WINDOWS\System32\vshelln.exe
O4 - HKLM\..\Run: [wprvs] C:\WINDOWS\System32\wprvs.exe
O4 - HKLM\..\Run: [ctPanelA] C:\WINDOWS\System32\ctPanelA.exe
O4 - HKLM\..\Run: [rogmanp] C:\WINDOWS\System32\rogmanp.exe
O4 - HKLM\..\Run: [qsnapm] C:\WINDOWS\System32\qsnapm.exe
O4 - HKLM\..\Run: [ta] C:\WINDOWS\System32\ta.exe
O4 - HKLM\..\Run: [_28594C] C:\WINDOWS\System32\_28594C.exe
O4 - HKLM\..\Run: [appsrvq] C:\WINDOWS\System32\appsrvq.exe
O4 - HKLM\..\Run: [bdlv1k] C:\WINDOWS\System32\bdlv1k.exe
O4 - HKLM\..\Run: [dfviewc] C:\WINDOWS\System32\dfviewc.exe
O4 - HKLM\..\Run: [ebhitsw] C:\WINDOWS\System32\ebhitsw.exe
O4 - HKLM\..\Run: [icc] C:\WINDOWS\System32\icc.exe
O4 - HKLM\..\Run: [mmkcertn] C:\WINDOWS\System32\mmkcertn.exe
O4 - HKLM\..\Run: [ogoffl] C:\WINDOWS\System32\ogoffl.exe
O4 - HKLM\..\Run: [qlsodbcs] C:\WINDOWS\System32\qlsodbcs.exe
O4 - HKLM\..\Run: [r50_32i] C:\WINDOWS\System32\r50_32i.exe
O4 - HKLM\..\Run: [stvtunek] C:\WINDOWS\System32\stvtunek.exe
O4 - HKLM\..\Run: [tdole32s] C:\WINDOWS\System32\tdole32s.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [_10006c] C:\WINDOWS\System32\_10006c.exe
O4 - HKLM\..\Run: [criptos] C:\WINDOWS\System32\criptos.exe
O4 - HKLM\..\Run: [embioso] C:\WINDOWS\System32\embioso.exe
O4 - HKLM\..\Run: [nmpsnaps] C:\WINDOWS\System32\nmpsnaps.exe
O4 - HKLM\..\Run: [owfaxw] C:\WINDOWS\System32\owfaxw.exe
O4 - HKLM\..\Run: [pgwiamdh] C:\WINDOWS\System32\pgwiamdh.exe
O4 - HKLM\..\Run: [riversd] C:\WINDOWS\System32\riversd.exe
O4 - HKLM\..\Run: [sim] C:\WINDOWS\System32\sim.exe
O4 - HKLM\..\Run: [srvpau] C:\WINDOWS\System32\srvpau.exe
O4 - HKLM\..\Run: [STraPTS] C:\WINDOWS\System32\STraPTS.exe
O4 - HKLM\..\Run: [suninsto] C:\WINDOWS\System32\suninsto.exe
O4 - HKLM\..\Run: [tis] C:\WINDOWS\System32\tis.exe
O4 - HKLM\..\Run: [uthza] C:\WINDOWS\System32\uthza.exe
O4 - HKLM\..\Run: [xmrtpd] C:\WINDOWS\System32\xmrtpd.exe
O4 - HKLM\..\Run: [MEI] C:\WINDOWS\System32\MEI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\eDonkey2000.exe -t
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [vwrsjan] C:\WINDOWS\System32\vwrsjan.exe
O4 - HKLM\..\Run: [ndeo4I] C:\WINDOWS\System32\ndeo4I.exe
O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: fix.bat.lnk = C:\fix.bat
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Descargas (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.1...Recomendada.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...321/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8FCFE3-7A74-4E30-83A6-2ACA826A28DA}: NameServer = 192.168.1.1

thanks
luke

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 July 2004 - 01:20 AM

:wave: Being your first post - I get the honour and privilege of welcoming you to our corner of the world where spyware has met it's match - Welcome.

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log :scratchhead:

Please keep an eye on this message for a resolution shortly.

#3 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 July 2004 - 01:24 AM

thank you very much phantom.
i have to go to work now but when i get home tonight i'll check.

thanks again
luke

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 July 2004 - 01:34 AM

  • Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "P2P Networking.exe". If you find the file, click it, and then click End Process => Exit the Task Manager.
  • Double click on "My Computer" to open it.
  • Double click on the local "C-Drive" to open it.
  • Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT.
  • Please download HijackThis from any of the following locations (Make sure you download it as you are running an older version:
  • Install/Unzip it into C:\HJT.
  • Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis (This should, typically, be run from C:\HJT\HijackThis.exe)
    • Click on "Config" in the bottom right corner of the HijackThis window.
    • Make sure that the "Main" tab is selected at the top.
    • Place a checkmark in the box labelled "Make backups before fixing items".
    • Click on "Back" in the bottom right corner.
    • Make sure all Browser windows are closed otherwise it may interfere with the fixing of items.
    • Click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [_intll] C:\WINDOWS\System32\_intll.exe
    O4 - HKLM\..\Run: [akleyo] C:\WINDOWS\System32\akleyo.exe
    O4 - HKLM\..\Run: [apiuit] C:\WINDOWS\System32\apiuit.exe
    O4 - HKLM\..\Run: [atsrvpsc] C:\WINDOWS\System32\atsrvpsc.exe
    O4 - HKLM\..\Run: [bdukk] C:\WINDOWS\System32\bdukk.exe
    O4 - HKLM\..\Run: [bemw] C:\WINDOWS\System32\bemw.exe
    O4 - HKLM\..\Run: [bghelpd] C:\WINDOWS\System32\bghelpd.exe
    O4 - HKLM\..\Run: [bnmpntwd] C:\WINDOWS\System32\bnmpntwd.exe
    O4 - HKLM\..\Run: [dbccr32o] C:\WINDOWS\System32\dbccr32o.exe
    O4 - HKLM\..\Run: [dcomk] C:\WINDOWS\System32\dcomk.exe
    O4 - HKLM\..\Run: [dvdq] C:\WINDOWS\System32\dvdq.exe
    O4 - HKLM\..\Run: [enscfgs] C:\WINDOWS\System32\enscfgs.exe
    O4 - HKLM\..\Run: [erberosk] C:\WINDOWS\System32\erberosk.exe
    O4 - HKLM\..\Run: [fcfiless] C:\WINDOWS\System32\fcfiless.exe
    O4 - HKLM\..\Run: [fwnetw] C:\WINDOWS\System32\fwnetw.exe
    O4 - HKLM\..\Run: [in32kw] C:\WINDOWS\System32\in32kw.exe
    O4 - HKLM\..\Run: [insw] C:\WINDOWS\System32\insw.exe
    O4 - HKLM\..\Run: [lipsrvc] C:\WINDOWS\System32\lipsrvc.exe
    O4 - HKLM\..\Run: [lntsesst] C:\WINDOWS\System32\lntsesst.exe
    O4 - HKLM\..\Run: [M20ENUF] C:\WINDOWS\System32\M20ENUF.exe
    O4 - HKLM\..\Run: [mmgr32c] C:\WINDOWS\System32\mmgr32c.exe
    O4 - HKLM\..\Run: [netcplci] C:\WINDOWS\System32\netcplci.exe
    O4 - HKLM\..\Run: [netcpli] C:\WINDOWS\System32\netcpli.exe
    O4 - HKLM\..\Run: [netresi] C:\WINDOWS\System32\netresi.exe
    O4 - HKLM\..\Run: [ogmanpr] C:\WINDOWS\System32\ogmanpr.exe
    O4 - HKLM\..\Run: [paw] C:\WINDOWS\System32\paw.exe
    O4 - HKLM\..\Run: [pcns4r] C:\WINDOWS\System32\pcns4r.exe
    O4 - HKLM\..\Run: [pconfigi] C:\WINDOWS\System32\pconfigi.exe
    O4 - HKLM\..\Run: [qoa20m] C:\WINDOWS\System32\qoa20m.exe
    O4 - HKLM\..\Run: [racert6t] C:\WINDOWS\System32\racert6t.exe
    O4 - HKLM\..\Run: [sdpsrvs] C:\WINDOWS\System32\sdpsrvs.exe
    O4 - HKLM\..\Run: [siexecm] C:\WINDOWS\System32\siexecm.exe
    O4 - HKLM\..\Run: [slookupn] C:\WINDOWS\System32\slookupn.exe
    O4 - HKLM\..\Run: [soeacctm] C:\WINDOWS\System32\soeacctm.exe
    O4 - HKLM\..\Run: [soert2m] C:\WINDOWS\System32\soert2m.exe
    O4 - HKLM\..\Run: [sportsm] C:\WINDOWS\System32\sportsm.exe
    O4 - HKLM\..\Run: [svbvm50m] C:\WINDOWS\System32\svbvm50m.exe
    O4 - HKLM\..\Run: [svcrt40m] C:\WINDOWS\System32\svcrt40m.exe
    O4 - HKLM\..\Run: [timons] C:\WINDOWS\System32\timons.exe
    O4 - HKLM\..\Run: [vshelln] C:\WINDOWS\System32\vshelln.exe
    O4 - HKLM\..\Run: [wprvs] C:\WINDOWS\System32\wprvs.exe
    O4 - HKLM\..\Run: [ctPanelA] C:\WINDOWS\System32\ctPanelA.exe
    O4 - HKLM\..\Run: [rogmanp] C:\WINDOWS\System32\rogmanp.exe
    O4 - HKLM\..\Run: [qsnapm] C:\WINDOWS\System32\qsnapm.exe
    O4 - HKLM\..\Run: [ta] C:\WINDOWS\System32\ta.exe
    O4 - HKLM\..\Run: [_28594C] C:\WINDOWS\System32\_28594C.exe
    O4 - HKLM\..\Run: [appsrvq] C:\WINDOWS\System32\appsrvq.exe
    O4 - HKLM\..\Run: [bdlv1k] C:\WINDOWS\System32\bdlv1k.exe
    O4 - HKLM\..\Run: [dfviewc] C:\WINDOWS\System32\dfviewc.exe
    O4 - HKLM\..\Run: [ebhitsw] C:\WINDOWS\System32\ebhitsw.exe
    O4 - HKLM\..\Run: [icc] C:\WINDOWS\System32\icc.exe
    O4 - HKLM\..\Run: [mmkcertn] C:\WINDOWS\System32\mmkcertn.exe
    O4 - HKLM\..\Run: [ogoffl] C:\WINDOWS\System32\ogoffl.exe
    O4 - HKLM\..\Run: [qlsodbcs] C:\WINDOWS\System32\qlsodbcs.exe
    O4 - HKLM\..\Run: [r50_32i] C:\WINDOWS\System32\r50_32i.exe
    O4 - HKLM\..\Run: [stvtunek] C:\WINDOWS\System32\stvtunek.exe
    O4 - HKLM\..\Run: [tdole32s] C:\WINDOWS\System32\tdole32s.exe
    O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
    O4 - HKLM\..\Run: [_10006c] C:\WINDOWS\System32\_10006c.exe
    O4 - HKLM\..\Run: [criptos] C:\WINDOWS\System32\criptos.exe
    O4 - HKLM\..\Run: [embioso] C:\WINDOWS\System32\embioso.exe
    O4 - HKLM\..\Run: [nmpsnaps] C:\WINDOWS\System32\nmpsnaps.exe
    O4 - HKLM\..\Run: [owfaxw] C:\WINDOWS\System32\owfaxw.exe
    O4 - HKLM\..\Run: [pgwiamdh] C:\WINDOWS\System32\pgwiamdh.exe
    O4 - HKLM\..\Run: [riversd] C:\WINDOWS\System32\riversd.exe
    O4 - HKLM\..\Run: [sim] C:\WINDOWS\System32\sim.exe
    O4 - HKLM\..\Run: [srvpau] C:\WINDOWS\System32\srvpau.exe
    O4 - HKLM\..\Run: [STraPTS] C:\WINDOWS\System32\STraPTS.exe
    O4 - HKLM\..\Run: [suninsto] C:\WINDOWS\System32\suninsto.exe
    O4 - HKLM\..\Run: [tis] C:\WINDOWS\System32\tis.exe
    O4 - HKLM\..\Run: [uthza] C:\WINDOWS\System32\uthza.exe
    O4 - HKLM\..\Run: [xmrtpd] C:\WINDOWS\System32\xmrtpd.exe
    O4 - HKLM\..\Run: [MEI] C:\WINDOWS\System32\MEI.exe
    O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
    O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
    O4 - HKLM\..\Run: [vwrsjan] C:\WINDOWS\System32\vwrsjan.exe
    O4 - HKLM\..\Run: [ndeo4I] C:\WINDOWS\System32\ndeo4I.exe
    O4 - Startup: fix.bat.lnk = C:\fix.bat
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
    O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.1...Recomendada.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzill...ller/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...321/mcfscan.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
[*]Please reboot into safe mode - How do I boot into "Safe" mode?
[*]The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
  • DIRECTORY CONTENTS (But not the directory)
    • %windir%\Temp\
    • %temp%\
    • %userprofile%\Local Settings\Temp\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. Click on "OK" once more to close the options panel.
    • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
  • DIRECTORIES
    • C:\WINDOWS\System32\P2P Networking\
    • C:\Program Files\webHancer\
  • FILES
    • C:\WINDOWS\System32\_intll.exe
    • C:\WINDOWS\System32\akleyo.exe
    • C:\WINDOWS\System32\apiuit.exe
    • C:\WINDOWS\System32\atsrvpsc.exe
    • C:\WINDOWS\System32\bdukk.exe
    • C:\WINDOWS\System32\bemw.exe
    • C:\WINDOWS\System32\bghelpd.exe
    • C:\WINDOWS\System32\bnmpntwd.exe
    • C:\WINDOWS\System32\dbccr32o.exe
    • C:\WINDOWS\System32\dcomk.exe
    • C:\WINDOWS\System32\dvdq.exe
    • C:\WINDOWS\System32\enscfgs.exe
    • C:\WINDOWS\System32\erberosk.exe
    • C:\WINDOWS\System32\fcfiless.exe
    • C:\WINDOWS\System32\fwnetw.exe
    • C:\WINDOWS\System32\in32kw.exe
    • C:\WINDOWS\System32\insw.exe
    • C:\WINDOWS\System32\lipsrvc.exe
    • C:\WINDOWS\System32\lntsesst.exe
    • C:\WINDOWS\System32\M20ENUF.exe
    • C:\WINDOWS\System32\mmgr32c.exe
    • C:\WINDOWS\System32\netcplci.exe
    • C:\WINDOWS\System32\netcpli.exe
    • C:\WINDOWS\System32\netresi.exe
    • C:\WINDOWS\System32\ogmanpr.exe
    • C:\WINDOWS\System32\paw.exe
    • C:\WINDOWS\System32\pcns4r.exe
    • C:\WINDOWS\System32\pconfigi.exe
    • C:\WINDOWS\System32\qoa20m.exe
    • C:\WINDOWS\System32\racert6t.exe
    • C:\WINDOWS\System32\sdpsrvs.exe
    • C:\WINDOWS\System32\siexecm.exe
    • C:\WINDOWS\System32\slookupn.exe
    • C:\WINDOWS\System32\soeacctm.exe
    • C:\WINDOWS\System32\soert2m.exe
    • C:\WINDOWS\System32\sportsm.exe
    • C:\WINDOWS\System32\svbvm50m.exe
    • C:\WINDOWS\System32\svcrt40m.exe
    • C:\WINDOWS\System32\timons.exe
    • C:\WINDOWS\System32\vshelln.exe
    • C:\WINDOWS\System32\wprvs.exe
    • C:\WINDOWS\System32\ctPanelA.exe
    • C:\WINDOWS\System32\rogmanp.exe
    • C:\WINDOWS\System32\qsnapm.exe
    • C:\WINDOWS\System32\ta.exe
    • C:\WINDOWS\System32\_28594C.exe
    • C:\WINDOWS\System32\appsrvq.exe
    • C:\WINDOWS\System32\bdlv1k.exe
    • C:\WINDOWS\System32\dfviewc.exe
    • C:\WINDOWS\System32\ebhitsw.exe
    • C:\WINDOWS\System32\icc.exe
    • C:\WINDOWS\System32\mmkcertn.exe
    • C:\WINDOWS\System32\ogoffl.exe
    • C:\WINDOWS\System32\qlsodbcs.exe
    • C:\WINDOWS\System32\r50_32i.exe
    • C:\WINDOWS\System32\stvtunek.exe
    • C:\WINDOWS\System32\tdole32s.exe
    • C:\WINDOWS\alchem.exe
    • C:\WINDOWS\System32\_10006c.exe
    • C:\WINDOWS\System32\criptos.exe
    • C:\WINDOWS\System32\embioso.exe
    • C:\WINDOWS\System32\nmpsnaps.exe
    • C:\WINDOWS\System32\owfaxw.exe
    • C:\WINDOWS\System32\pgwiamdh.exe
    • C:\WINDOWS\System32\riversd.exe
    • C:\WINDOWS\System32\sim.exe
    • C:\WINDOWS\System32\srvpau.exe
    • C:\WINDOWS\System32\STraPTS.exe
    • C:\WINDOWS\System32\suninsto.exe
    • C:\WINDOWS\System32\tis.exe
    • C:\WINDOWS\System32\uthza.exe
    • C:\WINDOWS\System32\xmrtpd.exe
    • C:\WINDOWS\System32\MEI.exe
    • dxdllreg.exe
    • C:\WINDOWS\System32\vwrsjan.exe
    • C:\WINDOWS\System32\ndeo4I.exe
    • C:\fix.bat
[*]Reboot again and log in normally, repost a new HijackThis log into this message for further review.
[/list]

#5 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 July 2004 - 10:32 AM

heres the new log, i haven't got a pop up yet. Thank you very much phantom!

Logfile of HijackThis v1.97.7
Scan saved at 1:30:41 AM, on 29/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RealUpdater.Exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\_1254c.exe
C:\WINDOWS\System32\nvfatc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\lkr\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspace.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\eDonkey2000.exe -t
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [nvfatc] C:\WINDOWS\System32\nvfatc.exe
O4 - HKLM\..\Run: [_1254c] C:\WINDOWS\System32\_1254c.exe
O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Descargas (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8FCFE3-7A74-4E30-83A6-2ACA826A28DA}: NameServer = 192.168.1.1

#6 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 28 July 2004 - 10:34 AM

ah after i closed this browser the pop ups came agian :(.
again any help is greatly appreciated
luke.

#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 28 July 2004 - 12:52 PM

You did not follow the instructions for HijackThis :(

Please download, install and then run [URL=http://www.trojanhunter.com]TrojanHunter{/URL] and post a new log when you are done.

#8 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 July 2004 - 04:35 AM

i don't know why it didn't work i thought i followed them. sorry.

heres the new log file after the trogan scan

Logfile of HijackThis v1.98.0
Scan saved at 7:34:40 PM, on 29/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\program files\steam\steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\WINDOWS\System32\swav04s.exe
C:\WINDOWS\System32\pmsgs.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\mIRC\mirc.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspace.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\eDonkey2000.exe -t
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [swav04s] C:\WINDOWS\System32\swav04s.exe
O4 - HKLM\..\Run: [pmsgs] C:\WINDOWS\System32\pmsgs.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\euro-kazemule-00\index.html (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8FCFE3-7A74-4E30-83A6-2ACA826A28DA}: NameServer = 192.168.1.1
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

thanks
luke

#9 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 29 July 2004 - 03:08 PM

Almost there :)

Run HijackThis and delete:
O4 - HKLM\..\Run: [swav04s] C:\WINDOWS\System32\swav04s.exe
O4 - HKLM\..\Run: [pmsgs] C:\WINDOWS\System32\pmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\euro-kazemule-00\index.html (file missing)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

And delete the files:
C:\WINDOWS\System32\swav04s.exe
C:\WINDOWS\System32\pmsgs.exe

After that ... Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative.

Then post one final log for review.

#10 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 July 2004 - 05:52 PM

hi phantom, again thanks for your help

here is the new log

Logfile of HijackThis v1.98.0
Scan saved at 8:49:57 AM, on 30/07/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\RealUpdater.Exe
C:\program files\steam\steam.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netspace.net.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = BigPond Dial-Up Residential Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\Classic PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SpyBlocs] C:\PROGRA~1\SpyBlocs\SpyBlocs.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Overnet] C:\Program Files\Overnet\eDonkey2000.exe -t
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [RealOne Player Update Sheduler] C:\WINDOWS\System32\RealUpdater.Exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: True Internet Color Icon.lnk = C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O9 - Extra button: Descargas - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\euro-kazemule-00\index.html (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8FCFE3-7A74-4E30-83A6-2ACA826A28DA}: NameServer = 192.168.1.1
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

luke.

#11 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 July 2004 - 05:52 PM

018 didn't delete...i'll try again

#12 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 30 July 2004 - 12:35 AM

Please go to Microsoft Windows Update and download all critical updates for your system. This is imperative as your system is completely out of date with service packs and updates. Post anew log once you have completed the updates.

#13 lukeRR

lukeRR

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 30 July 2004 - 01:35 AM

it won't let me update cause the key is invalid probably because my uncle gave us xp. thanks for your help ill keep trying to update the service pack.

thank you very much for your help pgphantom :D

#14 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 30 July 2004 - 09:08 AM

I would strongly urge you to purchase a legal copy of XP. Not only is it copyright infingement but you are allowing your system to remain open indefinitely to re-infection.

I would be more than happy to continue helping once you have a legal copy of XP installed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button