Jump to content


Photo

Please help. HJT log is posted here....


  • Please log in to reply
10 replies to this topic

#1 Vandy

Vandy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 02:11 PM

I was referred here by a friend. I downloaded HJT and will post the log below. My start page is constantly changed to something new, and there is obviously something here that my spyware/virus detector is not catching. I would be VERY much appreciative to any help you can give with directions (lol)--I'm new to this program and am not at all familiear with HJT. THanks again

Chris

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\ndgcpmooi.exe
E:\AVG VirusScan1\avgcc32.exe
C:\windows\temp\YuZ5ebJ.exe
C:\windows\temp\WLpYWL.exe
C:\WINDOWS\dhbrwsr.exe
C:\CloneCD\CloneCDTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AIM\aim.exe
C:\Microsoft Broadband Networking\MSBNTray.exe
E:\AVGVIR~2\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\IEHost.exe
C:\Documents and Settings\admin\Application Data\ooca.exe
C:\WINDOWS\dhsvr.exe
C:\WINDOWS\System32\icwcfgx.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\PROGRA~1\WHENUS~1\Search.exe
C:\Documents and Settings\admin\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotf...count_id=145872
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep.../start.cgi?hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...count_id=145872
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep.../start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...t/7search/?hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7A8DBE4F-63F8-49C8-8D3E-0CC7D6F3922D} - C:\WINDOWS\cobvyvgt.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O4 - HKLM\..\Run: [extractw] C:\WINDOWS\System32\extractw.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ajrd] C:\WINDOWS\ndgcpmooi.exe
O4 - HKLM\..\Run: [SpywareXterminatorCL] E:\SPYWAR~1\SpywareXterminatorCL.exe c:\
O4 - HKLM\..\Run: [AVG_CC] E:\AVG VirusScan1\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] E:\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [YuZ5ebJ] C:\windows\temp\YuZ5ebJ.exe
O4 - HKLM\..\Run: [WLpYWL] C:\windows\temp\WLpYWL.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] E:\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [SearchSquire33] C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [xF8T32g] icwcfgx.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [Mrss] C:\Documents and Settings\admin\Application Data\ooca.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKLM\..\RunOnce: [PPClean Remove at boot] C:\PPCleanDeleteAtReboot.bat
O4 - HKLM\..\RunOnce: [Pest Cleaning] "E:\SPYWAR~1\ppclean.exe" ts:20040523134916414 clean suite 2
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-p3.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.search...rchSquire33.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/ieplug.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class)

#2 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 23 May 2004 - 02:37 PM

To start cleaning up your computer, please download CWShredder
This was written to deal with Coolweb and all its variants.

Download and run the program. Let it fix everything it finds, and reboot.

Run Hijack this again, and post a fresh log so we can deal with whatever is left.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#3 Vandy

Vandy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 02:50 PM

Okay...thank you so much for your help Dave. I downloaded and ran CWShredder and here is the new log. btw, when I rebooted, I gained a search bar that I didnt have before :(

Chris

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\AVGVIR~2\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\ndgcpmooi.exe
E:\AVG VirusScan1\avgcc32.exe
C:\windows\temp\YuZ5ebJ.exe
C:\windows\temp\WLpYWL.exe
C:\WINDOWS\dhbrwsr.exe
C:\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
C:\WINDOWS\System32\icwcfgx.exe
C:\PROGRA~1\WHENUS~1\Search.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AIM\aim.exe
C:\WINDOWS\System32\wnscpsv.exe
C:\Documents and Settings\admin\Application Data\ooca.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Microsoft Broadband Networking\MSBNTray.exe
C:\WINDOWS\dhsvr.exe
C:\Documents and Settings\admin\Desktop\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Adobe Reader\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7A8DBE4F-63F8-49C8-8D3E-0CC7D6F3922D} - C:\WINDOWS\cobvyvgt.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)
O4 - HKLM\..\Run: [extractw] C:\WINDOWS\System32\extractw.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ajrd] C:\WINDOWS\ndgcpmooi.exe
O4 - HKLM\..\Run: [SpywareXterminatorCL] E:\SPYWAR~1\SpywareXterminatorCL.exe c:\
O4 - HKLM\..\Run: [AVG_CC] E:\AVG VirusScan1\avgcc32.exe /startup
O4 - HKLM\..\Run: [PPMemCheck] E:\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] E:\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [YuZ5ebJ] C:\windows\temp\YuZ5ebJ.exe
O4 - HKLM\..\Run: [WLpYWL] C:\windows\temp\WLpYWL.exe
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] E:\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [SearchSquire33] C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [xF8T32g] icwcfgx.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [Mrss] C:\Documents and Settings\admin\Application Data\ooca.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKLM\..\RunOnce: [PPClean Remove at boot] C:\PPCleanDeleteAtReboot.bat
O4 - HKLM\..\RunOnce: [Pest Cleaning] "E:\SPYWAR~1\ppclean.exe" ts:20040523134916414 clean suite 2 2
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Dictionary - http://www.ezreferen..._/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia - http://www.ezreferen...ie-com-e-p3.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...76/mcinsctl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.search...rchSquire33.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,16/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/ieplug.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab

#4 Vandy

Vandy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 03:30 PM

bump :)

#5 QN_52

QN_52

    Member

  • New Member
  • Pip
  • 1 posts

Posted 23 May 2004 - 05:30 PM

bump :ph34r:

#6 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 23 May 2004 - 06:02 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {7A8DBE4F-63F8-49C8-8D3E-0CC7D6F3922D} - C:\WINDOWS\cobvyvgt.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll (file missing)

O4 - HKLM\..\Run: [extractw] C:\WINDOWS\System32\extractw.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [ajrd] C:\WINDOWS\ndgcpmooi.exe
O4 - HKLM\..\Run: [YuZ5ebJ] C:\windows\temp\YuZ5ebJ.exe
O4 - HKLM\..\Run: [WLpYWL] C:\windows\temp\WLpYWL.exe
O4 - HKLM\..\Run: [SearchSquire33] C:\WINDOWS\System32\SearchUpdate33.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [xF8T32g] icwcfgx.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscpsv.exe
O4 - HKCU\..\Run: [Mrss] C:\Documents and Settings\admin\Application Data\ooca.exe
O4 - HKLM\..\RunOnce: [PPClean Remove at boot] C:\PPCleanDeleteAtReboot.bat

O15 - Trusted Zone: http://ad.searchsquire.com
O15 - Trusted Zone: http://search.searchsquire.com
O15 - Trusted Zone: http://update.searchsquire.com
O15 - Trusted Zone: http://www.searchsquire.com

O16 - DPF: {907CA0E5-CE84-11D6-9508-02608CDD2846} - http://update.search...rchSquire33.CAB
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} - http://cabs.roings.com/cabs/ieplug.cab
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab

Reboot, and delete

files
C:\WINDOWS\System32\extractw.exe
C:\WINDOWS\alchem.exe
c:\installer\id53.exe
C:\WINDOWS\ndgcpmooi.exe
C:\windows\temp\YuZ5ebJ.exe
C:\windows\temp\WLpYWL.exe
C:\WINDOWS\System32\SearchUpdate33.exe
C:\WINDOWS\DHUpdt.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\dp-him.exe
icwcfgx.exe
C:\WINDOWS\System32\wnscpsv.exe
C:\Documents and Settings\admin\Application Data\ooca.exe
C:\PPCleanDeleteAtReboot.bat

folders
C:\Program Files\Power Scan
C:\Program Files\WHENUS~1
C:\WINDOWS\system32\pcs
C:\Program Files\Common Files\Dpi

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if the problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#7 Vandy

Vandy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 06:31 PM

OK...took awhile, but I did everything you said to do. So far, it's working well and running great..no popups right now and everything SEEMS smooth. Here's the new post...please let me know if there's anything else that would help

Chris


Logfile of HijackThis v1.97.7
Scan saved at 6:28:40 PM, on 5/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\SPYWAR~1\SpywareXterminatorCL.exe
E:\AVG VirusScan1\avgcc32.exe
E:\SPYWAR~1\PPControl.exe
E:\SPYWAR~1\PPMemCheck.exe
E:\SPYWAR~1\CookiePatrol.exe
C:\CloneCD\CloneCDTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\AIM\aim.exe
C:\Microsoft Broadband Networking\MSBNTray.exe
E:\AVGVIR~2\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\admin\Desktop\hjt\HijackThis.exe

O4 - HKLM\..\Run: [extractw] C:\WINDOWS\System32\extractw.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareXterminatorCL] E:\SPYWAR~1\SpywareXterminatorCL.exe c:\
O4 - HKLM\..\Run: [AVG_CC] E:\AVG VirusScan1\avgcc32.exe /startup
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] E:\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [PPMemCheck] E:\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CookiePatrol] E:\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mrss] C:\Documents and Settings\admin\Application Data\ooca.exe
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#8 Vandy

Vandy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 23 May 2004 - 06:44 PM

ooops...forgot one...here's the new log.


Logfile of HijackThis v1.97.7
Scan saved at 6:44:34 PM, on 5/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ZONEAL~1\zlclient.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\AVG VirusScan1\avgcc32.exe
E:\SPYWAR~1\PPControl.exe
E:\SPYWAR~1\PPMemCheck.exe
E:\SPYWAR~1\CookiePatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Microsoft Broadband Networking\MSBNTray.exe
E:\AVGVIR~2\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\MSNGAM~1\zone.exe
C:\MSNGAM~1\zclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\admin\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O4 - HKLM\..\Run: [extractw] C:\WINDOWS\System32\extractw.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpywareXterminatorCL] E:\SPYWAR~1\SpywareXterminatorCL.exe c:\
O4 - HKLM\..\Run: [AVG_CC] E:\AVG VirusScan1\avgcc32.exe /startup
O4 - HKLM\..\Run: [Spyware X-terminator Control Center] E:\SPYWAR~1\PPControl.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [PPMemCheck] E:\SPYWAR~1\PPMemCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CookiePatrol] E:\SPYWAR~1\CookiePatrol.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#9 Vandy

Vandy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 May 2004 - 12:10 PM

*bump*

#10 Vandy

Vandy

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 24 May 2004 - 07:06 PM

*BUMP*...just need one last check of my newest log posted above.

#11 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 25 May 2004 - 04:38 PM

One left to fix

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load

Reboot, and delete the file C:\WINDOWS\System32\bridge.dll

One other item in your log is a little puzzling Would you please find the file C:\WINDOWS\System32\extractw.exe, and check its properties. There is a legitimate file of that name, but I don't know why it should be running all the time! Please post back with that information.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button