Jump to content


Photo

Need help fast...


  • Please log in to reply
37 replies to this topic

#1 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 08:20 PM

[B]ok since no one replied in the other forum i decided to put it here since i'm in need of desperate help of my sister's labtop, she is begging me to fix

*new log down in other posts. do not notice this log, it is old.

Logfile of HijackThis v1.97.7
Scan saved at 8:15:02 PM, on 5/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\SxgTkBar.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\sysupd.exe
C:\docume~1\yen\locals~1\temp\RwLS.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\pexvwsi.exe
C:\WINDOWS\System32\JxzW8.exe
C:\WINDOWS\System32\Rfq78ld.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe
O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\MvuC1.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7646.6992824074
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...ad.1.0.9.14.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab


THis is for my sister's computer. First of all, i'll tell you the full story.

About 4 weeks ago there was suddenly an outburst of spyware on her computer, she dunno why, and i simply used ad-aware to delete them well most of em but some of em was still there, she said it was ok. about 2 weeks later, wala! another outburst of spyware, then i used ad-aware but it couldn't delete ALL of it, so i downloaded spybot and SpywareBlaster and HijackThis and used spybot to get rid of a lot (most of it), but my sister still complains of getting ads. (btw, every 2 weeks her computer is hijacked by spyware of some kind) and it instals unwanted programs on her computer, too. So i thouht Spybot could get rid of them , but it couldn't get rid of all. no matter what i try, 2 is always there, which are DSO exploit and TSCASH (which i checked info, is 0190 dialor, which i'm really scared of, i mean my parents might get extremely mad at the next phone bill) and sometimes this thing called VX2 may come back. ad-aware 6 detects VX2 as VX2.BetterInternet. with some tracking cookies. Spybot just says VX2 something. well , (i think TSplus and betterinternet thingy may have some relation). so i got fed up and decided to try HijackThis, since there were still annoying pop ups on my sis computer and i knew if i still didn't get rid of them, it would eventually install even more spyware and adware on her labtop. when i first used HijackThis, i saw some programs which said : Host (IP adress here) and a lot of weird sites, like www. worldsex. com and www. gator. com , etc. i didnt know how they got there, since my sister only goes to music sites like mtv.com. i decided to delete some of them right away, not knowing what they were, but ALL of them looked suspicious, i deleted the ones that siad sex and one that said mptraffic, and i scanned a new log and the others were gone (even gator and the ones i didnt delete, lol, they might still be hiding with somethign that says Host: (IP address of Labtop) but Spybot still detects VX2 and DXO Exploit and TSCash. Well hopefully my HijackLog will explain and try to delete all of them, because When i went to the Run file that Spybot said TScash was, i tried to delete it but spybot said it couldn't be deleted cuz it's in use. btw it also said another thing below TScash was a file called 0910 dialor, which is the component dealing with TSCash spyware. I need to get rid of all these ads by deleting All the spyware and adware left, which ad-aware and spybot simply cannot delete now. oh btw i accidently opened the file that spybot said Tscash was in, which was C:\Windows\Sysupd, i dunno if it can damage my computer by opening it lol.
Hopefully someone can help me, my sister can't take it much longer, me and my family are anxious, because i'm worried about it. An overview again, and please help as soon as possible, i cant take it much longer


Ad-Aware detects : VX2.betterinternet. and its components (around 20 in total) and some program called Stop Pop. [Desciption: Fake pop-up blocker that gives popups ]
Spybot Detects: TSCash, 5 DXExploit files, and sometimes something called VX2 (doesn't always detect Vx2, it might be hidden)
btw, can anyone tell me , if they have any knowledge of where VX2 . betterineternet comes out of? i think it might be the one giving my sis labtop an outbreak of spyware and hijacked homepages every few weeks. well hopefull someone can help. and when i delete all of them (even tho i dunno what happened to the HijackTHis thing that said Host: IP: GATOR and Host:IP:www.gator.com and even more, i simply deleted the porn ones and the others went away lol) i might also have a virus or trojan or worm or joke program making the spyware but my sis does not want to scan using Norton 2004 PRofessional. lol . i hope Spywareblaster can prevent anymore spyware from coming in. Thx in advance anyone, and god bless ! *btw, did i tell you that the 5 DXO exploit is also in my computer? o_O and someone tell me if it is dangerous, also lol*

Edited by TheChosenOne1123, 27 May 2004 - 10:10 PM.


#2 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 08:22 PM

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll

I deleted the following file cuz I just checked the BHO thingy around here and said it was TwainTec adware which looked suspicious. so basically that's probably out, but i'll post a new log file when i can get backto my sis labtop

#3 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 26 May 2004 - 11:17 PM

btw, some weird thing pops up when i turn off computer, some thing that says "Ending program *name* " , even tho no programs are open.

#4 chris22

chris22

    Member

  • Full Member
  • Pip
  • 68 posts

Posted 26 May 2004 - 11:30 PM

you might got charged on the phone when you clicked the dialer...disconect the phoneline from comp whn not in uce so you can evoid getting charged. ;)

#5 superbratkidde

superbratkidde

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 26 May 2004 - 11:48 PM

look into msconfig and look at things that start at startup if it you didn't install it uncheck it. please be careful of what you uncheck you computer might fail to turn on again.

#6 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 12:03 AM

uhm ok i'm just gonna uncheck "sysupd" at startup for now. and for chris22, my parents don't really allow me to do anything dealing with the computer or phone lines or that shit, so i gotta find a way to get rid of it, btw if i get rid of it will it not be there or charge my phone line anymore? lol [sorry for asking, very new to spyware and adware and not know much about these computer things] i'm like OH SHIT when chris22 told me that happen.

#7 Charybdis

Charybdis

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 27 May 2004 - 12:19 AM

Looks like you might have several problems going at once, you should run an antivirus program through your system, the twaintec dll file is from a trojan, can't remember the name though, and C:\docume~1\yen\locals~1\temp\RwLS.exe most likely is as well, you can try http://housecall.ant.../start_corp.asp

#8 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 09:22 AM

erm, can anyone tell me from the log just how many problems i have? o_O?i might have to reinstall my sister's whole labtop, just too slow to do anything, will that help btw, or is not worth it? (btw, if i don't, i will install Norton Anti Virus 2004 and try to remove using that, will housecall detect and remove also?)

Edited by TheChosenOne1123, 27 May 2004 - 09:23 AM.


#9 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 09:43 AM

btw, i just found a way to remove TSCash (1090 dailer), but i need to reboot her labtop into safe mode, which is pretty complicated for me o_O last time i pressed f8 constantly it said "cannot load : ########### " except the # was squares, and wheni checked HijackThis again, it had 2 new entries like ######### and ######, weird eh?

#10 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 05:17 PM

uhm..anyone? lol

#11 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 05:21 PM

btw, can anyone tel me a way to find if u have n-CASE on ur labtop, i see this "ncase ads uninstaller" in C:\Windows, when i try to open it it says that file cannot be located in the registry and to type mpdd (something like that ) in search and delete those files...don't quite get it..o_O looks suspicious

#12 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 06:12 PM

new hijack log

Logfile of HijackThis v1.97.7
Scan saved at 4:12:08 PM, on 5/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysupd.exe
C:\WINDOWS\System32\pexvwsi.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\docume~1\yen\locals~1\temp\RwLS.exe
C:\docume~1\yen\locals~1\temp\cqifH.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\SxgTkBar.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\Sqk2.exe
C:\WINDOWS\System32\Lnoe7L.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yen\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F1 - win.ini: load=??? ??? ??? ? ? ? 
F1 - win.ini: run=??? ??? ??? ? ? ? 
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF5916.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\Lryrg9.exe
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF5916.dll
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe
O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe
O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7646.6992824074
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...ad.1.0.9.14.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#13 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 06:55 PM

btw, i can't restart her computer in safe mode, i press f8 when it boots up but then it displays that weird message ( square square square) again and again. The message with the squares in my hijack log is the exact message i get. is there an easier way to get rid of this? ;_;

#14 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 27 May 2004 - 10:06 PM

anyone, lol? i'm desperate :( I clicked fix on

F1 - win.ini: load=??? ??? ??? ? ? ? 
F1 - win.ini: run=??? ??? ??? ? ? ? 

so hopefully they won't be there anymore. some spyware/virus/trojan i think i saw.


-dpusys (notepad said some weird things about dpusys, like (McAffee, Norton, and some other virus scanners, i dunno why it mentioned it when i opened dpusys in notepad, btw will it send me a virus? or is dpusys already a virus sent by spyware i have? pointers, please, thx, i cannot find it in the spyware guide database or around the forums.

-Twain-Tec.dll , twaintec32, twain, and some more files programs with twain in the name.

-some weird program i just saw called 'nCASE ads uninstaller', when i try to open it it says cannot be located in the registry folder and to go to mdpp (sometin like that) and remove from there. btw, i used ad-aware and spybot , but they never detected n-CASE. can anyone tell from the HJ log if it is there?

-TSCash is still there, i just need to restart her labtop in safe mode, which i can't do, every time i try to do it, it displays a weird message when logging on (like ####### cannot load). Somebody told me it happens when u press F8 too soon.

-I didn't use Norton 2004 or that Housecall yet, i will once her labtop gets faster (i think spyware/trojan slowing it down dramatically, at least 5 minutes to get to the main page thingy)

-how dangerous can Vx2.betterinternet (ad-aware) / Vx2.F (spybot) be? or that twain-tec shit? i already know TSCash can be quite the deadly, i need to remove it soon as possible.

-hopefully if nothing works, i will try to reinstall my sis labtop and hopefully everything will be back to normal (except that she has sooo many things she download like AIM and stuff she says she do not want. lol)

-OR....SpywareBlaster / Spybot protection will help me later on.

#15 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 28 May 2004 - 09:25 AM

Anyone? lol

#16 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 28 May 2004 - 06:34 PM

oh, btw now it shows 2 sysupd in the regedit file, one says "sysupd" and another "shortcut to sysupd" , i renamed the first sysupd cuz i thought i couldn't remove it unless done so, changed it to "DeLSpYware" and automatically the "Shortcut to sysupid" turned into "sysupd" once i changed the name (rename) of the first sysupd.

#17 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 29 May 2004 - 10:03 AM

Download Peper Uninstaller from here - http://www.downloads....org/uninst.exe.
Then Run this uninstaller (you must be online for the uninstall to be successful).

Finally, you are running hijackthis out of a temporary directory. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder. Then post a fresh HijackThis log as we have more works to do.
http://blog.emsisoft.com
www.Emsisoft.com

#18 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 09:44 AM

damn, she has peper? lol, i gotta get rid of it. thx man. btw, what does peper do?

#19 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 09:49 AM

oh, and yes i will do what u said about HijackThis. btw, are there some viruses/ trojans/ spyware/ adware that prevent her labtop from going into safe mode?

#20 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 10:45 AM

btw, just for note on anyone who cares, (this is for my computer not my sis' labtop), wenever i view the IE or monitor a lot, these weird green OR purple lines start appearing on one of my monitors (the main one, i have dual-screen) and they have a tendecy of appearing quite often, and if a lot of them appear on the screen at once, then the monitor shuts off saying (DVI- ? - D ) [normally says (DVI-X-D when i turn it off / on ] My other minitor in the dual screen has no problems or weird graphically lines appearing. a friend told me it has something to do with color (i guess i was playing too much GTA on my monitor, so he told me it used up way too much color i didn't know by that time. so now the main monitor is screwed up like hell and nothing is happening to the other one cuz the other one shuts off automatically while the main monitor can play GTA and the 2nd one is shut off) i set the Color Resolution to 16 bit, but either the lines start appearing as much or even MORE, or the main minotor shuts on and off way too many times when i'm not even doing anything on it... well i guess my computer uses a lot of color, that probably is the main problem, but can it even be a virus or hacker? btw, i disabled system restore to see if that may be the problem.

Edited by TheChosenOne1123, 30 May 2004 - 10:48 AM.


#21 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 30 May 2004 - 11:32 AM

TheChosenOne,

Lets complete one problem at a time. Your Sister's Laptop has lots other craps too which we will have to fight against. If you want, Please start a new thread with "your" problems because it sometimes gets confusing with two problems in "same" thread.

Regarding Peper-Peper Trojan, also called Troj/Peper-A, Trojan.Peper.A and SandBoxer, downloads files to the user's computer, possibly adware which will open pop-up windows.
And I dont know of viruses/ trojans/ spyware/ adware that prevent preventing safe mode boot. I will love to know if there is any ;)

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#22 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 12:43 PM

Alright, thx dude, once I do what is supposed to be done , i will post a fresh log. for now, see ya!

#23 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 01:09 PM

alright , i uninstalled using the Peper thing link u gaveme, i didn't need to do anything lol ,it did everything for me real quick o_O ;_:

i saved HijackTHis into MyDocuments using the HijackTHis i created.

Logfile of HijackThis v1.97.7
Scan saved at 11:08:49 AM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pexvwsi.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\SxgTkBar.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\sysupd.exe
C:\Program Files\AIM95\aim.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Yen\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF51e4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe
O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe
O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF51e4.dll
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7646.6992824074
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...ad.1.0.9.14.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab



is that better? lol

#24 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 01:18 PM

btw, i'll be back in 2 hours, gonna go to movies lol

#25 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 30 May 2004 - 01:32 PM

Hello ,

Peper is gone it seems. :)

Download Spybot S & D and Ad-Aware

press ctrl, alt and del and end task

C:\WINDOWS\System32\pexvwsi.exe
C:\WINDOWS\sysupd.exe

Now fix the following entries in HijackThis,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O4 - HKLM\..\Run: [qbdcopjbtd] C:\WINDOWS\System32\pexvwsi.exe
O4 - HKLM\..\Run: [RwLS] C:\docume~1\yen\locals~1\temp\RwLS.exe
O4 - HKLM\..\Run: [cqifH] C:\docume~1\yen\locals~1\temp\cqifH.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsv.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

C:\WINDOWS\System32\pexvwsi.exe
C:\WINDOWS\sysupd.exe
C:\docume~1\yen\locals~1\temp\RwLS.exe
C:\docume~1\yen\locals~1\temp\cqifH.exe
C:\WINDOWS\System32\wnsintsv.exe

Then delete whole temp folder. Now Reboot in normal mode, Run Spybot and check for updates. Then run full scan with it. Reboot and Run Ad-aware now and check for updates. Then run complete scan.

Reboot in normal mode and post a fresh log

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#26 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 30 May 2004 - 05:12 PM

alright ill do that tonight whe nmy sis is sleeping so cheers for now :)

#27 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 01 June 2004 - 10:08 AM

Finally i get the chance to use her labtop.

I deleted the entries u fixed after ending sysupd task, but it keeps coming back! I renamed sysupd to "SpywareDelete" and another one just came back after renaming it. btw, sysupd also keeps starting up when I go to "Msconfig" where i uncheck sysupd, ANOTHER one shows right up!


F8 is a bit hard for me, so is there another way to boot into safe mode? like using "msconfig" and "Diagnostic Setup" ? or is f8 the only way?

#28 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 06 June 2004 - 12:18 PM

uhm..anyone know? o_O lol, sorry couldn't go on for long time,had quite a bit of problems with my main computer

#29 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 07 June 2004 - 09:54 PM

ah hell no..now HijackThis detects TVMedia and some CleverIEHooker in Spybot, how does my sister keep getting this krap? luckily my cousin will help me get into safe mode later on, . ok i'll post if i have any more problems or when i'm done doing what Subtaram said to do. for nows, laterz

#30 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 08 June 2004 - 11:22 PM

Hi TheChosenOne1123,

Are you still waiting for help? If you are, please reply, and I will get you some expert help. You have nasty things here to deal with.
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#31 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 09 June 2004 - 11:15 PM

Yeah, can you get an expert to see my problems?

The symptoms are getting worse.

When my sister tries to print from her labtop into my printer it prints out some of the words, but the others are messed up-sometimes the words don't appear at all, or they are combined with other letters making a weird symbol and there are weird symbols all around the place.

Recently she has more Spyware, i suppose, and there's absolutely nothing i suppose i can do till i can get it in safe mode. my friggin sister doesnt want my cuzin to come and reboot to safe mode she is very stubborn.

i'm afriad Twaintec.dll may be "Adware.Binet." , which , in Symantec's database, is also known as "Download.Trojan" and something else. The symptoms are might install other trojans or files and is ...uhm...kinda hard for me to remove... her computer right now is totally messed up, TOTALLY messed up, she even has TV media now, idunno how the heck that got in her computer, right now Popup blocker has blocked about 1300 popups in like 2 weeks. (considering she NEVER used to get popups)

i'll post a fresh log around tommorow, IF i can ever access her computer, which i think will probably get worse by then...please god, if you can help it would be appreciated

#32 iguagaby

iguagaby

    Forum Deity

  • Trusted Advisor*
  • PipPipPipPipPip
  • 2,220 posts

Posted 09 June 2004 - 11:19 PM

I'll get an expert as soon as possible!
THEY CAN HIDE, BUT THEY CAN'T ESCAPE!

IPB Image

#33 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 09 June 2004 - 11:30 PM

alright, thx dude, i appreciate it, i dunno how much longer it can last...her homepage hasn't been hijacked for a while, thank god for that, and one problem which can be dealt with later is this thing isee when browsing C:\Windows, "n-CASE ads uninstaller", which is weird. also, another thing, i keep seeing this thing called "dpusys.d" and some other dpusys stuff. i opened it in notepad and it display some weird message displaying the name of McAfee, Norton, and some other virus scanners.

Btw, can anyone tell exactly HOW many problems there are? if there are more than 20, then screw that,i 'm gonna throw her friggin labtop off a building lol

#34 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 10 June 2004 - 12:57 AM

Hello again,

Please post a fresh log. And we will go from there. Do NOT do anything of your own. We will see you through. :)

Regards

Edited by Subratam, 10 June 2004 - 01:01 AM.

http://blog.emsisoft.com
www.Emsisoft.com

#35 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 10 June 2004 - 10:06 AM

Thanks Subtaram and others, i appreciate your help. i'm pretty sure at least one of her spyware or trojan progs are installing another trojan, not sure lolz.


Logfile of HijackThis v1.97.7
Scan saved at 8:03:23 AM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\SxgTkBar.exe
C:\Program Files\QuickTime\qttask.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\tavhdb.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\sysupd.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Yen\My Documents\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF1117.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [honuhv] C:\WINDOWS\tavhdb.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1117.dll
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7646.6992824074
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...ad.1.0.9.14.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab



I can't quite restart in safe mode and can't delete sysupd , whenever i try to disable it from starting up using msconfig, another sysupd comes up and i can't disable the 2nd one...god this is getting annoying..i MUSt access safe mode soon!

#36 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 10 June 2004 - 10:22 AM

Omfg woot woot i finally managed to delete sysupd (1090 dialer), without the use of safe mode! this is an unusual but working way

1. i fixed [Run] Sysupd entry in HijackThis.
2.While i fixed, i had WIndows Task Manager open and when it fixed, i automatically put "End process" on sysupd.exe

3. I also had Windows Explorer at C:\WINDOWS open and ready to delete Sysupd (application), when i end process sysupd.exe i automatically deleted SysupD in C:\Windows and it went to recycle bin

4. I then emptied Recycle bin right away.


lol, it was easy to do, i was like OMFG IT's FINALLY GONE!!! but i don't know yet, might still be in the REgeistry or anywhere, after seemingly deleting this dailer, i used spybot and it didn't detect TSCash anymore. So i'm guessing it's gone for now, never gonna come back correct? unless some program in my sis computer install it at every reboot...then i'm really screwed...lol

and oh, those 4 techniques i think you have 5 seconds to do everything before sysupd loads again and shows that error deleting message.

#37 TheChosenOne1123

TheChosenOne1123

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 10 June 2004 - 10:22 AM

Logfile of HijackThis v1.97.7
Scan saved at 8:22:39 AM, on 6/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\SxgTkBar.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\tavhdb.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\toshiba\ivp\ism\ivpsvmgr.exe
C:\Documents and Settings\Yen\My Documents\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.toshiba.com/
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Popup Blocker Pro - {A44B961C-8C36-470f-8555-EDA0EFC1E710} - C:\Program Files\SafeGuard Pop-up Blocker Pro FREE Edition\popupblocker.dll
O2 - BHO: Core Library - {D4D505DF-D582-400c-91B6-84921012AFE3} - C:\WINDOWS\System32\PDF1117.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Popup Defence Updater] regsvr32 /s C:\WINDOWS\System32\pdfupd.dll
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LSPFix] C:\Program Files\Common Files\eAcceleration\LSPfix\LSPmonitor.exe normal
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [honuhv] C:\WINDOWS\tavhdb.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [SafeGuard Popup Updater (required)] regsvr32 /s C:\WINDOWS\System32\PDF1117.dll
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7646.6992824074
O16 - DPF: {9FC87BC7-7963-4B70-8485-B1A41034C9A1} (CSonyPicturesGameDownloaderCtl Object) - http://www.shockwave...eDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.picture...ad.1.0.9.14.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

#38 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 10 June 2004 - 05:09 PM

Hello ,

press ctrl, alt and del and end task

C:\WINDOWS\tavhdb.exe

Now fix the following entries in HijackThis,

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [honuhv] C:\WINDOWS\tavhdb.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtange...ave/Install.cab

Reboot in SAFE MODE and Show Hidden Files/Folders and delete if found,

C:\WINDOWS\tavhdb.exe
C:\Program Files\webHancer
C:\Program Files\TV Media

Reboot in normal mode and post a fresh log

Regards
http://blog.emsisoft.com
www.Emsisoft.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button