• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
newb who needs help

Have a CWS problem i would like to get fixed

25 posts in this topic

My problem always sets my homepage to http://thesearchmall.com/

 

here is my logfile

Logfile of HijackThis v1.97.7

Scan saved at 11:47:12 AM, on 6/8/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\ORGANI~1\SmartSync.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINDOWS\System32\qkcxsipk.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\DOCUME~1\TANNER~1\LOCALS~1\Temp\~e5d141.tmp

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thesearchmall.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [smartSync] C:\PROGRA~1\ORGANI~1\SmartSync.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [cuycxbsvt] C:\WINDOWS\System32\qkcxsipk.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKLM\..\RunOnce: [spyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...dir_Alt_Pub.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7967.6182638889

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

 

I also used spybot and ad-aware and both came up with adware and spyware

 

some of the spyware i couldnt delete

 

i would appreciate any help and thanks in advance

Share this post


Link to post
Share on other sites

You came to the right place! You have acquired that nasty "TOPLIST" browser hijacker. There is no program that will completely remove this nuicense. Some one here will hook you up soon. Good-luck!

Share this post


Link to post
Share on other sites

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://thesearchmall.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll

 

O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll

 

O4 - HKLM\..\Run: [cuycxbsvt] C:\WINDOWS\System32\qkcxsipk.exe

 

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - file://C:\install.cab

Reboot, and delete

 

files

C:\install.cab

C:\WINDOWS\System32\qkcxsipk.exe

 

These may be hidden files. See HERE for how to show hidden files.

 

Please post a followup Hijack this log, and say if your problems persist.

Share this post


Link to post
Share on other sites

i deleted C:\install.cab successfully(i least i hope) the icon that represented it looked like a file cabinet

 

when i try to delete C:\WINDOWS\System32\qkcxsipk.exe it says "this application is being used by another person or program"

 

again thx for all your help and i hope maybe someday i can know how to fix these kinds of things on my own

Share this post


Link to post
Share on other sites

um if u want it here is my full report from winpatrol

 

WinPatrol Startup Programs

6/9/2004 9:30

 

# IgfxTray

 

igfxtray.exe

igfxTray Module

Version: 7,0,0,1132

Copyright 1999-2001, Intel Corporation

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\WINDOWS\system32\igfxtray.exe

Click for Plus Info

 

 

 

# HotKeysCmds

 

hkcmd.exe

hkcmd Module

Version: 7,0,0,1132

Copyright 1999-2001, Intel Corporation

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\WINDOWS\system32\hkcmd.exe

Click for Plus Info

 

 

 

# LXSUPMON

 

LXSUPMON.EXE RUN

Supplies Monitor

Version: 2.2.64.1

Copyright © 2000

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\WINDOWS\System32\LXSUPMON.EXE RUN

Click for Plus Info

 

 

 

# SmartSync

 

SmartSync.exe

SmartSync MFC Application

Version: 1, 0, 0, 1

Copyright © 2000

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\Program Files\OrganizerLink\SmartSync.exe

Click for Plus Info

 

 

 

# TkBellExe

 

realsched.exe -osboot

RealNetworks Scheduler

Version: 0.1.0.1622

Copyright © RealNetworks, Inc. 1995-2002

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

Click for Plus Info

 

 

 

# gjderzzrri

 

qkcxsipk.exe

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\WINDOWS\system32\qkcxsipk.exe

Click for Plus Info

 

 

 

# WinPatrol

 

WinPatrol.exe

WinPatrol By BillP Studios

Version: 7.0.1.0

Copyright © 1997- 2004 BillP Studios

Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe

Click for Plus Info

 

 

 

# MSMSGS

 

msmsgs.exe /background

Messenger

Version: Version 4.7

Copyright © Microsoft Corporation 1997-2003

Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\Program Files\Messenger\msmsgs.exe /background

Click for Plus Info

 

 

 

# MoneyAgent

 

Money Express.exe

Microsoft Money Express

Version: 8.00.0731

Copyright © Microsoft Corp. 1990-1999. All rights reserved.

Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Path: C:\Program Files\Microsoft Money\System\Money Express.exe

Click for Plus Info

 

 

 

# SpywareGuard

 

sgmain.exe

SpywareGuard

Version: 2.02.0001

Copyright © 2002-2003 Javacool Software LLC

Location: Windows Startup Group

Path: C:\Program Files\SpywareGuard\sgmain.exe

Click for Plus Info

Share this post


Link to post
Share on other sites

bump while ive been waiting(which i know you guys have alot of work to do) ive been setting up my comp from being hijacked by following your instructions.

 

i installed mozilla and i found i dont like it very much so i decided to set IE up and one thing is i cant download Sun Java because it costs money and i cant get nod32 for the same reason. also when i was setting up the the things that you got the choices of enable/disable/prompt alot of my stuff said enable instead of prompt and im guessing the people we sent our comp to set it like that(we sent it to these people because we had multiple viruses and spyware) so anyways plz reply to my posts as soon as possible

Share this post


Link to post
Share on other sites

Please post a followup Hijack this log so we can see what's happening.

 

A good antivirus program is AVG Free edition, from .

 

The Sun java installer is free, what you may have been looking at was the full package!

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 7:45:00 PM, on 6/9/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\PROGRA~1\ORGANI~1\SmartSync.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\qkcxsipk.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e4me.com/

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [smartSync] C:\PROGRA~1\ORGANI~1\SmartSync.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [gjderzzrri] C:\WINDOWS\System32\qkcxsipk.exe

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...dir_Alt_Pub.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7967.6182638889

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

Share this post


Link to post
Share on other sites

bump

plz reply i know you have been very busy but plz reply as soon as possible i just need to know how to delete

 

C:\WINDOWS\System32\qkcxsipk.exe

thx for all your help again

Share this post


Link to post
Share on other sites

just curious should i go to windows task manager and end qkcxsipk.exe cause it shows it as a process

 

I have not had any problems with the homepage anymore i just want to know if someone has a link to the free sun java and if I should have not changed all those security settings on IE like the Facts told me to because a couple of months ago we sent our comp because it was acting funny(turned out we had 3 viruses and MANY spyware) and every security setting the facts told me to put on prompt was actually on enable

 

but anyways plz help as soon as possible I know you all are very busy helping as many as you can and I respect that so whenever you can plz reply

Share this post


Link to post
Share on other sites

ok i have finally deleteted qkcxsipk.exe now i just need to know if I should delete a file called "desktop" it came with my backup files this is what is in "desktop"

 

[LocalizedFileNames]

Windows Media Player.lnk=@C:\WINDOWS\inf\unregmp2.exe,-4

 

should i delete it or should i not delete it that is the question and if someone can plz post a link to the free sun java

Share this post


Link to post
Share on other sites

Run Hijack this again, and fix

O4 - HKLM\..\Run: [gjderzzrri] C:\WINDOWS\System32\qkcxsipk.exe

Reboot, and delete the file C:\WINDOWS\System32\qkcxsipk.exe

 

The Sun Java package can be downloaded from

http://java.com/en/download/help/win_manual.jsp

 

The installation of Anti virus software is even more important!

 

Where is this desktop file that concerns you? There are several files of that name in a Windows installation.

Share this post


Link to post
Share on other sites

srry i havent been replying ive been at camp for a week.

 

the desktop file isnt a problem anymore

I did install AVG 6.0 Free Edition

 

I must have already deleted C:\WINDOWS\System32\qkcxsipk.exe

 

Here is my new logfile thx for your help

 

Logfile of HijackThis v1.97.7

Scan saved at 9:06:12 PM, on 6/21/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\WINDOWS\System32\lexpps.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e4me.com/

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...dir_Alt_Pub.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7967.6182638889

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

Share this post


Link to post
Share on other sites

What file is reported by AVG, and where is it?

Share this post


Link to post
Share on other sites

Here is exactly what it says

 

Virus

Trojan horse Downloader.Agent.AS

 

is found in file

C:\System Volume Information\_restore{14659502-6D34-49D9-9E9D-AACE03A0D61B}\RP15\A0003198.exe

 

To remove this virus, please run AVG for Windows

 

So I run AVG and it detects nothing

 

also please tell me if my logfile is clean

Share this post


Link to post
Share on other sites

To remove that trojan, you must clear all your old restore points.

 

Heres how:-

Right click on the my computer icon. Select properties>system restore tab.

Put a check on the box "turn off system restore on all drives" and click apply.

 

Reboot. That will purge all the restore points,and the associated files.

 

Then repeat the above procedure, this time, removing the checkmark.

 

Then set a clean restore point.

Share this post


Link to post
Share on other sites

thx now can u please check my logfile ill post a new fresher one.

 

Logfile of HijackThis v1.97.7

Scan saved at 3:29:01 PM, on 6/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\System32\LXSUPMON.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Tanner Flatland\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.e4me.com/

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...dir_Alt_Pub.cab

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7967.6182638889

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....bio5_3_16_0.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{B47AC074-394C-4675-A6B0-033B3C84A140}: NameServer = 64.33.128.10 209.143.0.10

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0