• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
bluedonut

Multiple Serious Injuries (to my computer)

11 posts in this topic

Hi,

 

I have read the faqs and tried to implement the suggested solution in the browser hijacking article posted on this website - but i didn't understand anything after step 2 or so. I have also tried spybot, ad-aware, etc, but they did not work.

 

The problems on my computer are as follows:

 

(1) homepage has been hijacked to "search.cc"

(2) un-deletable bookmark in favourites folder, which leads to a porn site "pretty teens"

(3) sometimes i cannot type anything into internet search fields, eg google. If i manage to type something it is as though the _shift_ or CAPSLOCK keys are operative even though they are not

(4) numerous pop-ups when IE is not running

(5) even more pop-ups when IE is running

(6) when i scroll my mouse wheel in IE, it sometimes moves me one page back or one page forward - it is as though i am pressing the back button in my browser. alternatively it makes all the font sizes in IE increase or decrease.

(7) it always seems that the Network Connection icon in the systray is blinking and sending data somewhere even though IE or Outlook (the only two programs that i run which would require the internet) are not running. when this happens, everything freezes - keyboard becomes inactive, my mouse doesn't work, etc. after 10 seconds or so my keyboard and mouse become active again, only for the problem in (3) to occur.

 

because of the above problems i am taking really long to type this post...

 

As you would be able to tell, i'm fried. Therefore, i would be eternally indebted if someone could help!

 

 

 

Here is my HijackThis log:

 

Logfile of HijackThis v1.97.7

Scan saved at 16:42:32, on 15/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Canon\VDC\AuVdc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\tp4serv.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common files\updmgr\updmgr.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

C:\WINDOWS\System32\QbmthZyH.exe

C:\WINDOWS\System32\VwgeT7AL.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE

C:\Program Files\Microsoft Office\Office10\WINWORD.EXE

C:\Documents and Settings\Daryl Ong\Desktop\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://nkvd.us (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://nkvd.us (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sysService32] C:\WINDOWS\systask32l.exe

O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\AozDF.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O13 - DefaultPrefix: http://%6E%6B%76%64%2E%75%73/

O13 - WWW Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab

O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMes...etupProject.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.8894675926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

 

 

 

 

 

Thank you so much.

Share this post


Link to post
Share on other sites

BUMP

 

Please help...

 

I wonder how come some of those who posted their problems after me got some attention first.

 

Feeling like a spammer, clogging up space.

 

Popups are coming up as i type.

Share this post


Link to post
Share on other sites

Please download CWShredder

This was written to deal with Coolweb and all its variants.

 

Download and run the program. Let it fix everything it finds, and reboot.

 

Run Hijack this again, and post a fresh log so we can deal with whatever is left.

Share this post


Link to post
Share on other sites

Thank you!!

 

the hijacking of my homepage is over, but my computer still has the thing where it freezes occasionally and acts as though the _shift_ or CAPSLOCK keys are operative even though they're not. this happens once every 5 minutes or so when my browser, IE, is open.

 

Also, my computer seems to be cured of having popups when IE is not running.

 

However, the moment i open IE, it seems to want to load a popup. loading any other page is impossible in the meantime, until the new popup window appears. the popup destination varies from time to time.

 

Thank you once again!

 

As requested, here is my logfile: is my computer okay?

 

Logfile of HijackThis v1.97.7

Scan saved at 16:47:51, on 21/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Canon\VDC\AuVdc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\tp4serv.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common files\updmgr\updmgr.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\Hdh0MJds.exe

C:\WINDOWS\System32\QbmthZyH.exe

C:\ANTI MALAWARE\HijackThis.exe

 

O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sysService32] C:\WINDOWS\systask32l.exe

O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Xek8.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab

O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMes...etupProject.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.8894675926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

Share this post


Link to post
Share on other sites

You have the Peper trojan, which requires special treatment to put it out of your misery!

Please download and run this uninstaller.

 

Click on the peperfix link, and download the program. Then go off line, and run the program. It will remove the files, leaving one orphaned entry to be cleaned up with Hijack this.

Share this post


Link to post
Share on other sites

Hi,

 

I have done as you said, downloaded and ran the peperfix program, rebooted. Immediately ran HJT after reboot, and here is my log.

 

IE appears to be working properly now (no popup when first running IE), thanks a bunch!!

 

Could you confirm whether my computer's totally okay now? thanks!!

 

btw what does the peper trojan do and how would i have gotten it? I would like to avoid making the same mistake!

 

Logfile of HijackThis v1.97.7

Scan saved at 10:40:45, on 22/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Canon\VDC\AuVdc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\tp4serv.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Common files\updmgr\updmgr.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

C:\ANTI MALAWARE\HijackThis.exe

 

O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [sysService32] C:\WINDOWS\systask32l.exe

O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Xek8.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab

O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMes...etupProject.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.8894675926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

Share this post


Link to post
Share on other sites

Just a few remnants to clear out!

 

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)

 

O4 - HKLM\..\Run: [sysService32] C:\WINDOWS\systask32l.exe

O4 - HKLM\..\Run: [3SAHCS#4MABT@T] C:\WINDOWS\System32\Xek8.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

Reboot and delete

 

files

C:\WINDOWS\systask32l.exe

C:\WINDOWS\System32\Xek8.exe

 

folders

C:\Program Files\Common files\updmgr

 

These may be hidden files. See HERE for how to show hidden files.

Share this post


Link to post
Share on other sites

Hi,

 

I didn't manage to find the files that you asked me to delete in the folders which you mentioned.

 

So, I did a search but i only managed to find the Xek8.exe file in a different folder(C:\!Peperfix) - and I deleted it. Did not find the systask32l.exe file anywhere on my hard drive.

 

My comp seems to be relatively fixed! Yay!

 

Here is my HJT log after the steps taken:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:13:34, on 24/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Canon\VDC\AuVdc.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\WINDOWS\System32\tp4serv.exe

C:\WINDOWS\System32\rundll32.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\WINDOWS\AGRSMMSG.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

C:\ANTI MALAWARE\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O4 - HKLM\..\Run: [s3TRAY2] S3Tray2.exe

O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

O4 - HKLM\..\Run: [bMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

O4 - HKLM\..\Run: [bCONSET] regedit /s "C:\Program Files\ThinkPad\ConnectUtilities\bconprof.reg"

O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe

O4 - HKLM\..\Run: [TP4EX] tp4ex.exe

O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab

O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} - http://www.myemessenger.com/activex/MyEMes...etupProject.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7864.8894675926

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CCS\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: Domain = Daryl

O17 - HKLM\System\CS1\Services\Tcpip\..\{0B13CD7C-58C9-4F73-AE2E-C33E65A4B497}: NameServer = 202.56.128.30,202.56.128.158

 

Would be immensely grateful if you could let me know if i'm okay now.

 

Thank you for your help!

Share this post


Link to post
Share on other sites

Nice clean log. Well done.

 

Glad to help!

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0