Jump to content


Photo

Have a CWS problem i would like to get fixed


  • Please log in to reply
24 replies to this topic

#1 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 08 June 2004 - 01:48 PM

My problem always sets my homepage to http://thesearchmall.com/

here is my logfile
Logfile of HijackThis v1.97.7
Scan saved at 11:47:12 AM, on 6/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\ORGANI~1\SmartSync.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\System32\qkcxsipk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\TANNER~1\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thesearchmall.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SmartSync] C:\PROGRA~1\ORGANI~1\SmartSync.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cuycxbsvt] C:\WINDOWS\System32\qkcxsipk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...dir_Alt_Pub.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7967.6182638889
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

I also used spybot and ad-aware and both came up with adware and spyware

some of the spyware i couldnt delete

i would appreciate any help and thanks in advance

#2 CRUZTAKER

CRUZTAKER

    "...feed your head"

  • Full Member
  • Pip
  • 15 posts

Posted 08 June 2004 - 04:16 PM

You came to the right place! You have acquired that nasty "TOPLIST" browser hijacker. There is no program that will completely remove this nuicense. Some one here will hook you up soon. Good-luck!
MM.NET OHIO FORUM LEADER

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 08 June 2004 - 04:31 PM

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thesearchmall.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll

O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll

O4 - HKLM\..\Run: [cuycxbsvt] C:\WINDOWS\System32\qkcxsipk.exe

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab

Reboot, and delete

files
C:\install.cab
C:\WINDOWS\System32\qkcxsipk.exe

These may be hidden files. See HERE for how to show hidden files.

Please post a followup Hijack this log, and say if your problems persist.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 08 June 2004 - 06:58 PM

how do i delete the last file

C:\WINDOWS\System32\qkcxsipk.exe

#5 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 08 June 2004 - 07:00 PM

also should i delete the file desktop it came with the backups

#6 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 08 June 2004 - 08:01 PM

bump

#7 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 08 June 2004 - 09:14 PM

i deleted C:\install.cab successfully(i least i hope) the icon that represented it looked like a file cabinet

when i try to delete C:\WINDOWS\System32\qkcxsipk.exe it says "this application is being used by another person or program"

again thx for all your help and i hope maybe someday i can know how to fix these kinds of things on my own

#8 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 09 June 2004 - 11:33 AM

um if u want it here is my full report from winpatrol

WinPatrol Startup Programs
6/9/2004 9:30

# IgfxTray

igfxtray.exe
igfxTray Module
Version: 7,0,0,1132
Copyright 1999-2001, Intel Corporation
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\WINDOWS\system32\igfxtray.exe
Click for Plus Info



# HotKeysCmds

hkcmd.exe
hkcmd Module
Version: 7,0,0,1132
Copyright 1999-2001, Intel Corporation
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\WINDOWS\system32\hkcmd.exe
Click for Plus Info



# LXSUPMON

LXSUPMON.EXE RUN
Supplies Monitor
Version: 2.2.64.1
Copyright 2000
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\WINDOWS\System32\LXSUPMON.EXE RUN
Click for Plus Info



# SmartSync

SmartSync.exe
SmartSync MFC Application
Version: 1, 0, 0, 1
Copyright © 2000
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\OrganizerLink\SmartSync.exe
Click for Plus Info



# TkBellExe

realsched.exe -osboot
RealNetworks Scheduler
Version: 0.1.0.1622
Copyright RealNetworks, Inc. 1995-2002
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
Click for Plus Info



# gjderzzrri

qkcxsipk.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\WINDOWS\system32\qkcxsipk.exe
Click for Plus Info



# WinPatrol

WinPatrol.exe
WinPatrol By BillP Studios
Version: 7.0.1.0
Copyright 1997- 2004 BillP Studios
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
Click for Plus Info



# MSMSGS

msmsgs.exe /background
Messenger
Version: Version 4.7
Copyright © Microsoft Corporation 1997-2003
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Messenger\msmsgs.exe /background
Click for Plus Info



# MoneyAgent

Money Express.exe
Microsoft Money Express
Version: 8.00.0731
Copyright © Microsoft Corp. 1990-1999. All rights reserved.
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Path: C:\Program Files\Microsoft Money\System\Money Express.exe
Click for Plus Info



# SpywareGuard

sgmain.exe
SpywareGuard
Version: 2.02.0001
Copyright © 2002-2003 Javacool Software LLC
Location: Windows Startup Group
Path: C:\Program Files\SpywareGuard\sgmain.exe
Click for Plus Info

#9 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 09 June 2004 - 12:38 PM

bump while ive been waiting(which i know you guys have alot of work to do) ive been setting up my comp from being hijacked by following your instructions.

i installed mozilla and i found i dont like it very much so i decided to set IE up and one thing is i cant download Sun Java because it costs money and i cant get nod32 for the same reason. also when i was setting up the the things that you got the choices of enable/disable/prompt alot of my stuff said enable instead of prompt and im guessing the people we sent our comp to set it like that(we sent it to these people because we had multiple viruses and spyware) so anyways plz reply to my posts as soon as possible

#10 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 09 June 2004 - 03:38 PM

Please post a followup Hijack this log so we can see what's happening.

A good antivirus program is AVG Free edition, from [url=www.grisoft.com[/url].

The Sun java installer is free, what you may have been looking at was the full package!
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#11 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 09 June 2004 - 09:44 PM

Logfile of HijackThis v1.97.7
Scan saved at 7:45:00 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\ORGANI~1\SmartSync.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\qkcxsipk.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e4me.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SmartSync] C:\PROGRA~1\ORGANI~1\SmartSync.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gjderzzrri] C:\WINDOWS\System32\qkcxsipk.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...dir_Alt_Pub.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7967.6182638889
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

#12 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 10 June 2004 - 12:57 AM

bump
plz reply i know you have been very busy but plz reply as soon as possible i just need to know how to delete

C:\WINDOWS\System32\qkcxsipk.exe
thx for all your help again

#13 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 10 June 2004 - 10:29 AM

BUMP

#14 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 10 June 2004 - 10:48 AM

just curious should i go to windows task manager and end qkcxsipk.exe cause it shows it as a process

I have not had any problems with the homepage anymore i just want to know if someone has a link to the free sun java and if I should have not changed all those security settings on IE like the Facts told me to because a couple of months ago we sent our comp because it was acting funny(turned out we had 3 viruses and MANY spyware) and every security setting the facts told me to put on prompt was actually on enable

but anyways plz help as soon as possible I know you all are very busy helping as many as you can and I respect that so whenever you can plz reply

#15 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 10 June 2004 - 11:03 AM

ok i have finally deleteted qkcxsipk.exe now i just need to know if I should delete a file called "desktop" it came with my backup files this is what is in "desktop"

[LocalizedFileNames]
Windows Media Player.lnk=@C:\WINDOWS\inf\unregmp2.exe,-4

should i delete it or should i not delete it that is the question and if someone can plz post a link to the free sun java

#16 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 10 June 2004 - 05:34 PM

Run Hijack this again, and fix

O4 - HKLM\..\Run: [gjderzzrri] C:\WINDOWS\System32\qkcxsipk.exe

Reboot, and delete the file C:\WINDOWS\System32\qkcxsipk.exe

The Sun Java package can be downloaded from
http://java.com/en/d.../win_manual.jsp

The installation of Anti virus software is even more important!

Where is this desktop file that concerns you? There are several files of that name in a Windows installation.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#17 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 21 June 2004 - 11:07 PM

srry i havent been replying ive been at camp for a week.

the desktop file isnt a problem anymore
I did install AVG 6.0 Free Edition

I must have already deleted C:\WINDOWS\System32\qkcxsipk.exe

Here is my new logfile thx for your help

Logfile of HijackThis v1.97.7
Scan saved at 9:06:12 PM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e4me.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...dir_Alt_Pub.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7967.6182638889
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

#18 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 21 June 2004 - 11:10 PM

Sometimes when I start Windows xp AVG reports a trojan so i run AVG to delete it but it always says there is no virus infection so what do i do?

#19 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 25 June 2004 - 05:54 PM

bump

#20 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 26 June 2004 - 04:52 AM

What file is reported by AVG, and where is it?
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#21 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 26 June 2004 - 10:38 PM

Here is exactly what it says

Virus
Trojan horse Downloader.Agent.AS

is found in file
C:\System Volume Information\_restore{14659502-6D34-49D9-9E9D-AACE03A0D61B}\RP15\A0003198.exe

To remove this virus, please run AVG for Windows

So I run AVG and it detects nothing

also please tell me if my logfile is clean

#22 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 27 June 2004 - 11:04 PM

bump

#23 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 28 June 2004 - 01:37 PM

bump

#24 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 28 June 2004 - 02:08 PM

To remove that trojan, you must clear all your old restore points.

Heres how:-
Right click on the my computer icon. Select properties>system restore tab.
Put a check on the box "turn off system restore on all drives" and click apply.

Reboot. That will purge all the restore points,and the associated files.

Then repeat the above procedure, this time, removing the checkmark.

Then set a clean restore point.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#25 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 28 June 2004 - 05:29 PM

thx now can u please check my logfile ill post a new fresher one.

Logfile of HijackThis v1.97.7
Scan saved at 3:29:01 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e4me.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...dir_Alt_Pub.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7967.6182638889
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button