Jump to content


Photo

hijacked, tried to fix it but can't figure it out


  • Please log in to reply
8 replies to this topic

#1 VaderLives

VaderLives

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 14 June 2004 - 03:10 PM

I'm having the problem it seems everyone else is having: the hijacked browser, home page set to about:blank, lots of pop ups, google searches redirected to search-to-find.com, etc. Randomly named dlls are being generated in my system folders every time I reboot. Stuff that I'm sure you hear about constantly. I tried to fix it on my own using reglite and such, but here's where I'm having a problem. Under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Currentversion\windows directory, the AppInit_Dlls key isn't there, and I can't find it anywhere. Maybe my problem is being caused by something different, I don't know. That's why I've come to you.

Any help is, of course, greatly appreciated. Oh, and feel free to treat me like I don't know how to do anything when you try to help me fix this, so as to be sure I don't do anything wrong.

Attached is my HJT log file. I'm leaving for work shortly and am going to shut the computer off, so if it should change when I turn it back on tonight I'll post an updated log.

Thanks in advance,
Alex

Logfile of HijackThis v1.97.7
Scan saved at 4:01:32 PM, on 6/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\sysrf.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\d3fj32.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skqdt.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://skqdt.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://skqdt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skqdt.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://skqdt.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\skqdt.dll/sp.html#37049
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {6F9CD290-449C-DBE4-621A-E7E113A0EE2F} - C:\WINDOWS\system32\netia.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [d3fj32.exe] C:\WINDOWS\d3fj32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MktBrowser (HKLM)
O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {32634F75-03FF-11D4-B346-00C04FA06E32} - http://betamirror2.l...rnet/lfxplr.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8071.4136921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0C4FE6D8-B549-4BE7-8564-CA798E1968E9}: NameServer = 205.188.146.146
O17 - HKLM\System\CCS\Services\Tcpip\..\{A294EBDE-9C80-4B68-B727-DCFB50C5EE9A}: NameServer = 128.118.25.3,130.203.1.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{0C4FE6D8-B549-4BE7-8564-CA798E1968E9}: NameServer = 205.188.146.146

#2 VaderLives

VaderLives

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 15 June 2004 - 11:19 AM

Can anyone please help me? I'm at a total loss here.

Oh, and I forgot to mention, every time I run CWShredder it says it keeps removing Winshow. But obviously it's either nor removing it or, more likely, that's not the real problem.

#3 VaderLives

VaderLives

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 15 June 2004 - 04:18 PM

Can someone please look at this?

More weird stuff is happening on my computer now. Whenever I go to shut down it pops up that "end now" window for some program I've never heard of called Win Min, and when I turn it on it says RUNDLL error, can't load bridge.dll or something to that effect. Some of my other programs, including Windows Explorer, are now "encountering errors and have to close." I haven't done anything to my computer (i.e. changing registry files or settings or anything) since I made my first post, so I don't know what's going on.

Can someone PLEASE help me out with this?

Edited by VaderLives, 15 June 2004 - 04:19 PM.


#4 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 15 June 2004 - 07:22 PM

Hello VaderLives!

Welcome to the SpywareInfo Forums! I apologize for the delay in getting to your log. I will try and start to clean up your machine. Because of the nature of the malware on your PC, it will probably take many steps to get it all.

Posted Image You have an advanced strain of CoolWebSearch that will take some work to get rid of
  • Start off by Downloading this zip.
    http://tools.zerosrealm.com/pv.zip
  • Please unzip it to the desktop. It will not work if you run it from inside the zip.
  • After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat
  • A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.
Posted Image Notepad will open with a log in it. Please copy and paste the log into a reply to this topic.
smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo

#5 VaderLives

VaderLives

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 15 June 2004 - 09:36 PM

Alright, thanks.

Here we go:

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2600.0000 (xpclient.010817-1148) Windows Explorer
ntdll.dll 77f50000 692224 C:\WINDOWS\System32\ntdll.dll 5.1.2600.0 (xpclient.010817-1148) NT Layer DLL
kernel32.dll 77e60000 937984 C:\WINDOWS\system32\kernel32.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.0 (xpclient.010817-1148) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 569344 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.0 (XPClient.010817-1148) Advanced Windows 32 Base API
RPCRT4.dll 78000000 450560 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.109 (xpclnt_qfe.021108-2107) Remote Procedure Call Runtime
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.0 (xpclient.010817-1148) GDI Client DLL
USER32.dll 77d40000 577536 C:\WINDOWS\system32\USER32.dll 5.1.2600.0 (xpclient.010817-1148) Windows XP USER API Client DLL
SHLWAPI.dll 772d0000 405504 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Light-weight Utility Library
SHELL32.dll 773d0000 8339456 C:\WINDOWS\system32\SHELL32.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Shell Common Dll
ole32.dll 771b0000 1114112 C:\WINDOWS\system32\ole32.dll 5.1.2600.118 (xpclnt_qfe.021108-2107) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5014.0 Microsoft OLE 3.50 for Windows NT™ and Windows 95™ Operating Systems
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
SHDOCVW.dll 769c0000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2600.0000 (xpclient.010817-1148) Microsoft UxTheme Library
IMM32.DLL 76390000 106496 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.0 (xpclient.010817-1148) Windows XP IMM32 API Client DLL
LPK.DLL 629c0000 32768 C:\WINDOWS\System32\LPK.DLL 5.1.2600.0 (xpclient.010817-1148) Language Pack
USP10.dll 72fa0000 368640 C:\WINDOWS\System32\USP10.dll 1.0407.2600.0 (xpclient.010817-1148) Uniscribe Unicode script processor
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 6.0 (xpclient.010817-1148) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpclient.010817-1148) Common Controls Library
appHelp.dll 75f40000 118784 C:\WINDOWS\system32\appHelp.dll 5.1.2600.0 (xpclient.010817-1148) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.0 (xpclient.010817-1148) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 5b630000 458752 C:\WINDOWS\System32\themeui.dll 6.00.2600.0000 (xpclient.010817-1148) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.0 (xpclient.010817-1148) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.0 (xpclient.010817-1148) GDIEXT Client DLL
USERENV.dll 52880000 667648 C:\WINDOWS\system32\USERENV.dll 5.1.2600.15 (xpclnt_qfe.010827-1803) Userenv
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
msutb.dll 5fc10000 221184 C:\WINDOWS\System32\msutb.dll 5.1.2600.0 (xpclient.010817-1148) MSUTB Server DLL
MSCTF.dll 74720000 307200 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.0 (xpclient.010817-1148) MSCTF Server DLL
netapi32.dll 71c20000 323584 C:\WINDOWS\System32\netapi32.dll 5.1.2600.0 (xpclient.010817-1148) Net Win32 API DLL
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.0 (xpclient.010817-1148) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9238 ATL Module for Windows NT (Unicode)
S3appdll.dll 6b800000 49152 C:\WINDOWS\System32\S3appdll.dll 1.00.05-0315 s3appdll
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.0 (xpclient.010817-1148) Winstation Library
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2600.0000 (xpclient.010817-1148) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.0 (xpclient.010817-1148) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
SETUPAPI.dll 76670000 933888 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows Setup API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Terminal Server SDK APIs
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.0 (xpclient.010817-1148) MCI API DLL
SYNCOR11.DLL 6bd00000 53248 C:\WINDOWS\System32\SYNCOR11.DLL 1.2.2 SynthCore R2.0 Midi Interface Driver
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
NETSHELL.dll 75cf0000 1638400 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.0 (xpclient.010817-1148) Credential Manager User Interface
WS2_32.dll 71ab0000 86016 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 86016 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.2 (xpclient.010817-1148) IP Helper API
netman.dll 76de0000 155648 C:\WINDOWS\system32\netman.dll 5.1.2600.0 (xpclient.010817-1148) Network Connections Manager
MPRAPI.dll 76d40000 90112 C:\WINDOWS\system32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\system32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 147456 C:\WINDOWS\system32\adsldpc.dll 5.1.2600.0 (xpclient.010817-1148) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.0 (xpclient.010817-1148) Win32 LDAP API DLL
rtutils.dll 76e80000 53248 C:\WINDOWS\system32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\system32\SAMLIB.dll 5.1.2600.0 (xpclient.010817-1148) SAM Library DLL
RASAPI32.dll 76ee0000 225280 C:\WINDOWS\system32\RASAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access API
rasman.dll 76e90000 69632 C:\WINDOWS\system32\rasman.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access Connection Manager
TAPI32.dll 76eb0000 172032 C:\WINDOWS\system32\TAPI32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Windows™ Telephony API Client DLL
WZCSvc.DLL 76da0000 196608 C:\WINDOWS\system32\WZCSvc.DLL 5.1.2600.0 (xpclient.010817-1148) Wireless Zero Configuration Service
WMI.dll 76d30000 16384 C:\WINDOWS\system32\WMI.dll 5.1.2600.0 (XPClient.010817-1148) WMI DC and DP functionality
DHCPCSVC.DLL 76d80000 106496 C:\WINDOWS\system32\DHCPCSVC.DLL 5.1.2600.0 (xpclient.010817-1148) DHCP Client Service
DNSAPI.dll 76f20000 151552 C:\WINDOWS\system32\DNSAPI.dll 5.1.2600.0 (xpclient.010817-1148) DNS Client API DLL
CRYPT32.dll 762c0000 565248 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.0 (xpclient.010817-1148) Crypto API32
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
msi.dll 76400000 2076672 C:\WINDOWS\System32\msi.dll 2.0.2600.0 Windows Installer
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.0 (XPClient.010817-1148) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.0 (XPClient.010817-1148) Windows Spooler Driver
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
fxsst.dll 68df0000 573440 C:\WINDOWS\System32\fxsst.dll 5.2.1776.0 Fax Service
FXSAPI.dll 69010000 458752 C:\WINDOWS\System32\FXSAPI.dll 5.2.1776.0 Microsoft Fax API Support DLL
NTMARTA.DLL 76ce0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.0 (xpclient.010817-1148) Windows NT MARTA provider
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Browser UI Library
WININET.dll 63000000 598016 C:\WINDOWS\system32\WININET.dll 6.00.2600.0001 (xpclnt_qfe.010827-1803) Internet Extensions for Win32
SXS.DLL 75e90000 659456 C:\WINDOWS\System32\SXS.DLL 5.1.2600.0 (xpclient.010817-1148) Fusion 2.5
urlmon.dll 760f0000 491520 C:\WINDOWS\system32\urlmon.dll 6.00.2600.0000 (xpclient.010817-1148) OLE32 Extensions for Win32
DUSER.dll 6c1b0000 274432 C:\WINDOWS\System32\DUSER.dll 5.1.2600.0 (xpclient.010817-1148) Windows DirectUser Engine
MSGINA.dll 75970000 987136 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT Logon GINA DLL
ODBC32.dll 1f7b0000 200704 C:\WINDOWS\System32\ODBC32.dll 3.520.7713.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2600.0000 (xpclient.010817-1148) Common Dialogs DLL
odbcint.dll 1f850000 90112 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
IDLEPROC.DLL 67f00000 28672 C:\Program Files\America Online 7.0\IDLEPROC.DLL 7.00.000 IDLEPROC DLL
AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.0 (XPClient.010817-1148) Windows NT Image Helper
rsaenh.dll ffd0000 139264 C:\WINDOWS\System32\rsaenh.dll 5.1.2518.0 (main.010714-2114) Microsoft Base Cryptographic Provider
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft ® Shell Extension for Windows Script Host
MCPS.DLL 365a0000 86016 C:\PROGRA~1\MICROS~4\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub
MSVCP60.DLL 76080000 397312 C:\WINDOWS\System32\MSVCP60.DLL 6.00.8972.0 Microsoft ® C++ Runtime Library

#6 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 17 June 2004 - 06:54 AM

Hello again VaderLives.

I would like you to perform the following steps to try and clear up your PC.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Posted Image Perform a free online virus scan.
http://housecall.trendmicro.com

Posted Image Now Reboot your PC into Safe Mode by doing the following:
  • Start Windows, or if it is running, shut Windows down, and then turn off the computer.
  • Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
  • As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.
Posted Image Make sure you are set to Show Hidden Files and Folders:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Posted Image Delete the following files (if they weren't cleaned up by previous processes):
  • C:\WINDOWS\skqdt.dll
  • C:\WINDOWS\system32\netia.dll
  • C:\Program Files\Common files\updmgr\updmgr.exe
  • C:\WINDOWS\d3fj32.exe
Posted Image Delete the following folder (if it wasn't cleaned up by previous processes):
  • C:\Program Files\WildTangent\DDC\
Posted Image You have HijackThis running from your desktop. I ask that you move it into a folder of it's own. HijackThis will create backup files which will become scattered over your desktop if not moved. Close all application and browser windows and run HijackThis.

Click on the Scan button
Put a check beside the following line(s)
  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skqdt.dll/sp.html#37049
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://skqdt.dll/index.html#37049
  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://skqdt.dll/index.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\skqdt.dll/sp.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://skqdt.dll/index.html#37049
  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\skqdt.dll/sp.html#37049
  • O2 - BHO: (no name) - {6F9CD290-449C-DBE4-621A-E7E113A0EE2F} - C:\WINDOWS\system32\netia.dll
  • O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
  • O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
  • O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
  • O4 - HKLM\..\Run: [d3fj32.exe] C:\WINDOWS\d3fj32.exe
  • O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
  • O9 - Extra button: MktBrowser (HKLM)
  • O9 - Extra 'Tools' menuitem: MarketBrowser (HKLM)
  • O9 - Extra button: MoneySide (HKLM)
  • O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
  • O16 - DPF: {32634F75-03FF-11D4-B346-00C04FA06E32} - http://betamirror2.l...rnet/lfxplr.cab
You have QuickTime loading at startup which is unnecessary and taking up resources. I recommend letting HijackThis fix it by checking the following:
  • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
You have RealPlayer loading at startup which is unnecessary and taking up resources, I recommend letting HijackThis fix it by checking the following and disabling the startup option from within RealPlayer:
  • O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
You have the Kontiki Delivery manager installed and loading at startup. This delivery manager is used by some companies to deliver files to your PC. Some experts believe that it sends statistical data back to it's home server. I recommend letting HijackThis fix it by checking the following lines:You have OSA.EXE loading at startup which is resource hog that can be launched manually if it is required. I recommend letting HijackThis fix it by checking the following line:
  • O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
Click on the "Fix Checked" button

Posted Image You are running Wild Tangent. This This application is known to be responsible for startup and shutdown errors. I recommend that you remove it in Add/Remove Programs.


Posted Image Try CWShredder Again.
Download and run http://www.spywarein.../CWShredder.exe from its own folder.
Click Fix and then Next, let it fix everything it asks about.

Posted Image Reboot your PC and reply to this topic with an updated HijackThis log.

Edited by smckillop, 17 June 2004 - 07:00 AM.

smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo

#7 VaderLives

VaderLives

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 18 June 2004 - 10:08 AM

Ok, I did all of that, and here's my new log. I think the only thing I didn't do was remove Wild Tangent because that runs a lot of games I have on my computer that I really like.

Netia.dll wasn't there.

When I ran the virus scan, it found two things: troj Briss.H in C:\WINDOWS\system32\bridge.dll and troj Briss.A in C:\WINDOWS
system32\jao.dll. Jao.dll it was able to delete, but I couldn't delete bridge.dll until I was in safe mode. But now when I start my computer an error message pops up saying "RUNDLL32 Error loading C:\WINDOWS\system32\bridge.dll. The specified module could not be found."

There were a bunch of other files around all these dll files, including two around the bridge.dll that made me really suspicious: vnmispoisn.exe and vnmispoisn_downloader.exe. But I didn't do anything to them because I don't know what they are.

Oh, and when I ran CWShredder again it said my system was totally clean, but I don't quite think it is. Because something is creating all these bad dll files every time I restart my computer, and I can't figure out what it is, and it would appear that CWS can't detect it.

Anyway, here's my updated hijack this log, and thanks again for helping me.

Logfile of HijackThis v1.97.7
Scan saved at 10:22:52 PM, on 6/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\atlvo32.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\vnmispoisn_downloader.exe
C:\WINDOWS\d3fj32.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\vnmispoisn_downloader.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlgn.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\Owner\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7C18F175-BE9E-C966-1C4E-6EC178BF6CAD} - C:\WINDOWS\system32\winsk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [searchbar] C:\WINDOWS\System32\vnmispoisn_downloader.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\System32\vnmispoisn_downloader.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\System32\bridge.dll",Load
O4 - HKLM\..\Run: [d3fj32.exe] C:\WINDOWS\d3fj32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: winlgn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8071.4136921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A294EBDE-9C80-4B68-B727-DCFB50C5EE9A}: NameServer = 128.118.25.3,130.203.1.4

#8 VaderLives

VaderLives

    Member

  • Full Member
  • Pip
  • 18 posts

Posted 21 June 2004 - 09:22 PM

Ok...

So since the server had been down, and I hadn't heard anything for a few days, I did some more stuff on my own.

I ran trojan hunter and fixed up everything it found. Then I did some more research on this Win Min program which I was sure was causing this trouble. I found that a bogus winlgn.exe was created in my startup folder, which, since it was in the startup group, was constantly running and therefore couldn't be deleted until I moved it out of the startup folder and rebooted. So I got rid of that as well.

So now it would appear as though my problems have been solved, since my homepage is no longer being reset, I haven't had any unexpected popups in the last few days, and the win min error no longer occurs at shutdown, but I'm posting my latest log in case you notice anything else I should take care of.

Logfile of HijackThis v1.97.7
Scan saved at 10:12:50 PM, on 6/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\S3apphk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psu.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8071.4136921296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A294EBDE-9C80-4B68-B727-DCFB50C5EE9A}: NameServer = 128.118.25.3,130.203.1.4

#9 smckillop

smckillop

    Rockin' Apple of SWI

  • Retired Staff - Helper
  • PipPipPip
  • 143 posts

Posted 22 June 2004 - 05:52 AM

Hello VaderLives...

I am extremely sorry that I missed replying to your topic over the weekend. I was away for most of it and just didn't find the time to update your topic. It does appear as though you have removed the malware.

Posted Image Your Operating System and Internet Explorer need patching! Please visit http://windowsupdate.microsoft.com and download all of the critical service packs and updates.

Other than Wild Tangent, which you expressed an interest in keeping in a previous post, you do have 1 additional optional component that you may wish to have HijackThis Fix:

Posted Image You have QuickTime loading at startup which is unnecessary and taking up resources. I recommend letting HijackThis fix it by Scanning with HijackThis, checking the following item, and clicking the Fix button:
  • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Posted Image I would recommend looking into the following to try and prevent future infections:

SpywareBlaster doesn't scan and clean for spyware - it prevents it from ever being installed.
http://www.wildersse...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see TonyKlein's good advice
So how did I get infected in the first place?


Excellent work!
smckillop
He who has tasted a sour apple, will have the more relish for a sweet one.

If the information I have provided has been helpful, please consider Supporting SpywareInfo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button