Jump to content


Photo

AHH! HjThis Log (Popups, ze63t04.exe, REGSVR32.EXE


  • Please log in to reply
10 replies to this topic

#1 hellomynameis

hellomynameis

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 10 June 2004 - 02:56 AM

I'm having major pop up problems. Before the popups fully load, they show the sites that their loading from. The sites are usually Advertising.com and Doubleclick. I ran Spybot and all that comes up is "DSO Exploit." No Advertising.com or Doubleclick. Spybot can't seem to fix the DSO Exploit problem because it keeps showing up after repeated scans.

Another problem is Avenue A Inc. I did the whole Spybot immunization deal and it gives me confirmation alerts asking me if I want to block the download. Is there anyway, other than "block bad downloads silently," to get rid of Avenue A Inc. and stop it from attempting to download onto my computer?

Also, when logging into the computer, the taskbar and the desktop icons don't load. I press CTRL+ALT+DEL and click on TASK MANAGER and in the PROCESSES tab, the app "ze63t04.exe" is running, a program which I'm highly unfamiliar with and isn't usually in my processes list. Also, REGSVR32.exe was in the process list except it was jumping around the whole list. One second, it would be at the bottom of the list. A second later, it would dissappear and reappear somewhere else on the list. The only way I can get past this is to log off and log on again. When I checked the process list again the second time, "ze63t04.exe" and "REGSVR32.exe" were no where to be found. I tried looking up the ze63t04 app on google but with no results. REGSVR32 got some results but I can't really make sense of it all. So basically, everytime I want to log onto the computer, I have to log on, then log off, then log on again.

I'm not sure what could be the problem of that but I think it has something to do with the spyware because these problems haven't arisin until I began my battle with spyware.

I ran HijackThis and came up with the following:

Logfile of HijackThis v1.97.7
Scan saved at 5:16:13 PM, on 6/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\gene\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINNT\system32\regsvrac32.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Run32dll] c:\winnt\system32\taskmngr.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [sngn] C:\WINNT\sngn.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Communicator] C:\Program Files\Lilo & Stitch Fun Pak\Communicator.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKLM\..\RunOnce: [ze63t04.exe] C:\WINNT\system32\ze63t04.exe
O4 - HKCU\..\RunOnce: [ze63t04.exe] C:\WINNT\system32\ze63t04.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\RECYCLER\S-1-5-21-1275210071-507921405-839522115-1001\Dc2160\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Power Search - res://C:\WINNT\Downloaded Program Files\msiets.dll//iemenu
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: Arcade Volleyball Online - http://adenix.net/av/av.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt1_x.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...d/...wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...oc...tor/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...d/...mv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...00...taller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...d8...xIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.frightmis...sCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd.../C...4635532407
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...rt...nstall.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...10...ontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...oc...wflash.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave...ic/CMonline.dll
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...llInstaller.cab

If anyone would be so kind as to help me out, I'd be greatly obliged. Thanks in advance.

#2 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 13 June 2004 - 02:58 AM

Hello,

You have several issues to address. First, Go to Control Panel=>Add/Remove Programs and look for any of these items:

BuddyLinks
PSDT Messaging Integration
PSD Tools ChannelUp v1.0 (remove only)


If any are present, please uninstall them.

Wild Tangent robably got installed with the Lilo & Stitch Fun Pak. WTis considered by many as foistware, and may not be required to run the Lila & Stitch Fun Pak. If it is not required, Wild Tangent can be removed via Control Panel.

Now let's clean up your HJT log. HijackThis should not be run from a desktop location. When HijackThis "fixes" problems, it creates a backup file of the modifications it makes. This backup is used if a restore should be needed. Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. For detailed instructions, click How to create a new folder on C: Drive.

With HJT in it's new location, run a new scan and check-mark the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\Program Files\ClearSearch\CSIE.DLL (file missing)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINNT\system32\regsvrac32.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Run32dll] c:\winnt\system32\taskmngr.exe
O4 - HKLM\..\Run: [sngn] C:\WINNT\sngn.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKLM\..\RunOnce: [ze63t04.exe] C:\WINNT\system32\ze63t04.exe
O4 - HKCU\..\RunOnce: [ze63t04.exe] C:\WINNT\system32\ze63t04.exe

O8 - Extra context menu item: Power Search - res://C:\WINNT\Downloaded Program Files\msiets.dll//iemenu

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...d8...xIE601.cab
O16 - DPF: {FDDCE9FF-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...llInstaller.cab
O16 - DPF: {ECF5F2BD-C78B-4C6F-91BB-2A311FCCA4C7} (WTApp Class) - http://www.shockwave...ic/CMonline.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildt...rt...nstall.cab

The following entries are OPTIONAL fixes, or known resource hogs, and can contribute to overall computer slowdown. Please read the description following each and check mark for "fixing" (or follow instructions for disabling) according to your needs.

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" <---Not needed at startup.Available via Start -> Programs. Launch manually when program is to be used.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <---Resource Hog . Available via Start=>Ptograms. Launch manually when program is to be used.
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot <---To disable "tkbell.exe" in the new version (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK See thread Here, for more info on TKBellExe.
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl <---Not needed at startup. Available via Start=>Ptograms. Launch manually when program is to be used.
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet <---Not needed at startup. Available via Start=>Ptograms. Launch manually when program is to be used.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE <---Resource Hog


Please double check your list and WITH ALL OTHER WINDOWS CLOSED, fix checked, then reboot.

Start your computer in Safe Mode. To start your computer in Safe Mode: please follow these instructions. (Win2000) While in Safe Mode, please delete the following files/folders:

C:\Program Files\Common Files\PSD Tools<---Folder

C:\WINNT\sngn.exe

c:\winnt\system32\taskmngr.exe Note: Be very careful with the spelling, taskmngr, not taskmgr, the legit Windows file.

C:\WINNT\system32\ze63t04.exe

Reboot when finished, then run a new HJT scan and post the results here for me to check.

Once your computer is free of malware I suggest you download Ad-Aware, to add o your anti-malware arsenal.

It is very important to UPDATE the reference files for both Spybot S&D and Ad-Aware before you run them the first time, then frequently thereafter to ensure the very latest in detection and removal. Click here for instructions on updating and how to use these programs.

Running Ad-Aware and SpyBot S&D on a regular basis (I do it twice a week) will go a long way in keeping your computer malware free.

To help prevent further infections, (including Avenue A Inc.), I recommend, and use, SpywareBlaster, and IE-SPYAD. SpywareBlaster blocks bad ActiveX and malevolent cookies. IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Both are very small free programs that you run once, then just update frequently.

Many recommend (as I do) that a firewall should be installed and used. Here are two popular free firewalls.
ZoneAlarm
and
Sygate Personal Firewall.

Also, please see
So how did I get infected in the first place?

George
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#3 hellomynameis

hellomynameis

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 13 June 2004 - 05:43 AM

I followed your instructions except for the ones that concerned deleting PSD Tools and Buddylink. I deleted those things awhile ago but I guess remnants of them still lingered in the registry.

I'm also having a problem with the following found in the logfile (below):
O4 - HKLM\..\RunOnce: [0uung.exe] C:\WINNT\system32\0uung.exe
O4 - HKCU\..\RunOnce: [0uung.exe] C:\WINNT\system32\0uung.exe

The 0uung.exe file is just some random file. It was created and put in place of the ze63t04.exe, which I deleted. Every time I delete that random file (ze63t04.exe, 0uung.exe, etc), a new random file is created and put in it's place. The file doesn't seem to be doing any harm except for what I stated in the first post:

(replace ze63t04.exe with 0uung.exe)
Also, when logging into the computer....then log on again.

I don't know what's been causing this or what keeps installing this random file but if theres a way to stop it, I'd really like to know.

Popups are still a problem. :grrr:


Logfile of HijackThis v1.97.7
Scan saved at 3:39:42 AM, on 6/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG6\avgserv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\gene\Desktop\Comp Cleaner Progs\Bazooka Spyware Scanner\spywarescanner.exe
C:\Documents and Settings\gene\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FA040B34-FBE9-4BEF-9D85-F90BECAACA99} - C:\WINNT\system32\d7fb1y.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [0uung.exe] C:\WINNT\system32\0uung.exe
O4 - HKCU\..\RunOnce: [0uung.exe] C:\WINNT\system32\0uung.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7571.4635532407
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

#4 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 14 June 2004 - 02:23 AM

Hey hellomynameis,

Will get back to you as soon as possible. By the way, when you said

I followed your instructions except for the ones that concerned deleting PSD Tools and Buddylink. I deleted those things awhile ago but I guess remnants of them still lingered in the registry.

I hope you meant uninstalled, not just deleted. :scratchhead:

Back soon,

:D George :cool:
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#5 hellomynameis

hellomynameis

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 14 June 2004 - 09:17 AM

To SpotCheckBilly:

Well, pretty much deleted. I went to "Add/Remove Programs" and removed PSD Tools from there. I think that's also what I did with Buddylinks.. either that or I just deleted the folder. Either way, they're no where to be found on my comp after a gazillion normal/virus/adware/spyware scans.

To Anyone:

When I woke up the computer this morning, a Browser Hijack Blaster alert was on the screen telling my homepage/searchpage was jacked. It was changed from mail.yahoo.com/google.com to none/none. I tried to change it back but it wouldn't and the alerts kept coming. I was able to fix the problem by just signing off my username and then back on.

When I signed back on, it said some new BHO's. I wasn't sure if they were legit or not but I kept them all. Here's a new HiJThis log.

Logfile of HijackThis v1.97.7
Scan saved at 7:33:28 AM, on 6/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\system32\drivers\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\Program Files\KODAK\KODAK EASYSHARE Software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\pctspk.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Documents and Settings\gene\Desktop\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mail.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FA040B34-FBE9-4BEF-9D85-F90BECAACA99} - C:\WINNT\system32\d7fb1y.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [0uung.exe] C:\WINNT\system32\0uung.exe
O4 - HKCU\..\RunOnce: [0uung.exe] C:\WINNT\system32\0uung.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7571.4635532407
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macrom...abs/swflash.cab

#6 hellomynameis

hellomynameis

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 17 June 2004 - 12:21 AM

bump.

Edited by hellomynameis, 20 June 2004 - 02:41 AM.


#7 hellomynameis

hellomynameis

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 24 June 2004 - 04:44 PM

bump

#8 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 30 June 2004 - 02:50 AM

Hey hellomynameis,

You've not been forgotten. I have submitted your post so that others can take a look at it. I will get back to you as soon as I get any pertinent information. :wave:

I am thinking that part of the problem may be due to just deleting folders instead of uninstalling the programs. You're not the only one who has done this, so you're in good company. I am trying to find a (relatively) painless way of finding all the parts that are scattered all over. :eek:

:D George :cool:
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#9 hellomynameis

hellomynameis

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 June 2004 - 10:59 AM

Whew.. thanks. I was kinda feeling lonley for a second there.

#10 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 03 July 2004 - 01:05 AM

Hey hellomynameis,

Can you please update HJT to it's newest version (1.98.0)? Then run a new scan and post here.

Thanks much,

:D George :cool:
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image

#11 SpotCheckBilly

SpotCheckBilly

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 877 posts

Posted 09 July 2004 - 07:11 PM

Hey hellomynmameis,

If you haven't already done so, please download and runAd-Aware . Click here for instructions on updating and using Ad-Aware. If Ad-Aware reports a .dll that it can't fix, make note of it and post here, along with a fresh scan with the updated HJT (V1.98.0).

One of the experts who is assisting me with your problem also suggested you download and run Trojan Huinter(Trial) from http://www.misec.net/trojanhunter/.

There are free online trojan scans at these sites:
Sygate Trojan Scan
and
Trojan Scan

One source of popups that is sometimes overlooked is the messenger service. This service provides the ability to send messages between clients and servers. This service needs not to be running under normal "home" conditions. It is also advisable to make this service go away to avoid the possibility of "net send" messages hitting your computer from the internet. This has nothing to do with MSN Messenger, nor is it "WinPopUp. Note: If you are on a network, you may have to check with your network administrator before disabling this service.

To disable messenger service in Windows 2000:

1. Click Start-> Settings-> Control Panel-> Administrative Tools->Services
2. Scroll down and highlight "Messenger"
Right-click the highlighted line and choose Properties.
3. Click the STOP button.
4. Select Disable or Manual in the Startup Type scroll bar
5. Click OK

Safe computing,

George
IPB ImageIPB Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
IPB Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button