Jump to content


Photo

Hijacked to some generic search page


  • This topic is locked This topic is locked
16 replies to this topic

#1 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 17 June 2004 - 05:09 PM

Thanks in adavance for your help! Here's my Hijack this log:
Logfile of HijackThis v1.97.7
Scan saved at 2:44:46 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\win32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {54CDA673-E6F2-4F58-AD27-C431433CE465} - C:\WINDOWS\System32\oifid.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 17 June 2004 - 07:16 PM

Hi, jackpete,
Did you get the latest update from Adaware before you ran it? If not please do so and scan again.
Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to the next step below.


Spybot S&D
The download for Spybot S&D is available here: http://www.computerc...s-file-108.html
Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in RED by pressing "Fix selected problems".
Close Spybot S&D, reboot your system.


Please Download CoolWebShredder, from
http://www.merijn.or.../cwshredder.zip
http://www.spywarein.../cwshredder.zip
http://computercops....ads-cat-14.html

Extract CWShredder to its own folder,
Reboot in Safe Mode and run the program.
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.
Close the program, reboot, and Post a Fresh HijackThis log.

Then we can see what else needs to be removed.
Microsoft MVP - Consumer Security

#3 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 02:00 PM

Thanks for replying Bugbatter, you folks are saints!

As instructed, I ran the updated adaware and eliminated the stuff that was found. This seemed to work temporarily as the MSN homepage came up instead of the hijacked page I had been directed to. I then downloaded Spybot but my computer keeps giving me an error message that it couldn;t run it. I ran the CWShredder (not in safe mode, I don't know how to get there). When I rebooted, and brought up IE to get to this board, I had the same old page I had been hijacked to previously. Aargh.

Here is my latest log:
Logfile of HijackThis v1.97.7
Scan saved at 11:53:25 AM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\qttask.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Citrix\ICA Client\pn.exe
C:\Program Files\Citrix\ICA Client\Wfcrun32.exe
C:\PROGRA~1\Citrix\ICACLI~1\WFICA32.EXE
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 3 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://martfinder.co...ex.htm?aff=6600
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {4602A4DC-1C76-4200-AE6E-BDE166388A26} - C:\WINDOWS\System32\oifid.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 18 June 2004 - 03:20 PM

Still a bunch of nasties in there, but we'll fix them.

Make sure your computer is configured to show all Hidden Files/folders
http://www.xtra.co.n...1916458,00.html

Try booting into Safemode again:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Please run CWShredder per instructions above, and let it remove whatever it finds.

Reboot. Scan with HJT and post a fresh log.
Then we can do a bit more surgery. ;D
Microsoft MVP - Consumer Security

#5 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 05:34 PM

Hi Bugbatter-

I'm still redirected to about:blank after running CWS and rebooting. At least this time all it produced was a blank screen and not the normal bogus search screen.

Here is my latest log, thanks again for spending your time on this:

Logfile of HijackThis v1.97.7
Scan saved at 3:27:48 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\qttask.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\win32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {4602A4DC-1C76-4200-AE6E-BDE166388A26} - C:\WINDOWS\System32\oifid.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#6 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 18 June 2004 - 06:28 PM

In IE, set your homepage to whatever you want via Tools>Internet Options

Reboot into Safemode.
Scan with HJT.
Place a checkmark next to these to fix:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {4602A4DC-1C76-4200-AE6E-BDE166388A26} - C:\WINDOWS\System32\oifid.dll (file missing)


These Office and RealPlayer items are optional to check/fix because they are resource hogs as Startup. They can always be opened as needed.
Your choice:
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After HJT has fixed your selected items, reboot out of Safemode and post a new HJT log.
Microsoft MVP - Consumer Security

#7 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 07:49 PM

OK...My home page did come up this time... a good sign. I hope this is the end of it, thank you again. Here is my latest log:

Logfile of HijackThis v1.97.7
Scan saved at 5:46:55 PM, on 6/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\win32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Documents and Settings\User\My Documents\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#8 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 18 June 2004 - 08:40 PM

Since my last post, I tried going to my home page and was redirected to something called martfinder search...I've been hijacked to this place recently too...apparently I'm not out of the woods yet.

#9 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 18 June 2004 - 08:55 PM

Okay, run HJT again and please post a new log so I can see what is happening.
Thanks.
Microsoft MVP - Consumer Security

#10 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 June 2004 - 10:58 AM

The similar things we eliminated before appear to be returning. Here is my latest log:

Logfile of HijackThis v1.97.7
Scan saved at 8:55:54 AM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\program files\support.com\client\bin\tgshell.exe
C:\program files\support.com\client\bin\tgshell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ERICST~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {2C3E612B-97FE-4194-91B7-79C959844806} - C:\WINDOWS\System32\opmaf.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#11 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 20 June 2004 - 12:11 PM

Apparently, this hijacker has a hidden file that is reinfecting you.
Here are some instructions to print. Take a deep breath, and take your time to follow the steps exactly.

Download Reglite from here: http://www.resplende...try/reglite.htm

1. Install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.
2. Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.
3. You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.
4. Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".
5. Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll
6. Rename the windows folder back to its original name "Windows".
7. Run SpyBot, Ad-Aware and CWShredder
8. Next step will be to remove this dll file so make sure you have it noted down.

Download Killbox from here: http://download.broadbandmedic.com/
Step 1
1. Unzip and start the application
2. Paste in the dir <path and name of dll as found in the appinit value box> i.e C:\Windows\System32\nameofdll.dll
3. Menu Select Action -> Delete on Reboot
4. Select File -> Add file <It should add the path automatically>
5. <Same Window> Select Action -> Process and Reboot
6. If Step 1 didn't work .continue
Step 2
7. Click "Start" => "Run" and type in "cmd" (Without the quotations) and click on "Okay".
8. This will open a command window I will assume you have a basic knowledge of DOS if you have any problems at this point just write back I will outline the commands.
9.Type in dir <path and name of dll as found in the appinit value box> and press "Enter". You should see the name of the file listed.
10. Go to the system32 folder (This is where the .dll file will typically reside) and type attrib -R "nameofdll".dll
11. Carry out Step 1 again
12. Restart your computer in safemode
13. Open cmd window again as before
14. Type dir <path and name of dll as found in the appinit value box> and locate the dll name the dll should now have been removed and will not be listed.
15. While in safe mode run the Adaware (with today's update), Spybot and CWShredder again, just to make sure all traces are gone.
16. Boot up pc as normal and you should be trouble free.



Please delete your temporary files by deleting all files and folders that are in those folders (Do not delete the temp folder itself)
For example:
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, being sure to also select delete all offline content.


After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore back on. A new Restore Point will be created.

Please post a fresh HJT log so we can be sure everything is clean.
Microsoft MVP - Consumer Security

#12 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 June 2004 - 07:44 PM

Hello again-

I did everything as instructed, and it appeared as if things were on track as your instructions were very clear. Before doing the system restore stuff I ran HJT again. I noticed that the first R1 item was a familiar sight. This sucker is stubborn. FYI, to log onto this forum I obviously had to get into IE and the standard MSN homepage came up, not the one I've been hijacked to, despite this bug still sitting in the system (as I see it on my log). Very mysterious.

Here you go, and thanks for your assistance, and persistance!

Logfile of HijackThis v1.97.7
Scan saved at 5:38:56 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\qttask.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\win32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#13 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 20 June 2004 - 08:24 PM

So you are getting your desired homepage? If the only problem is that about:blank still shows up in your log, try going into Safemode, running HJT and checking it to be fixed. Let's see if that will take it out.

Reboot into normal mode and please post a new log.
Microsoft MVP - Consumer Security

#14 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 20 June 2004 - 10:17 PM

Bugbatter,

Methinks thou art a genius. I'm getting my hompage now and there doesn't appear (to my untrained eye) any trace of bad things in the log:

Logfile of HijackThis v1.97.7
Scan saved at 8:15:09 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\qttask.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\win32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Washer\washer.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\My Documents\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\windows\system32\qttask.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [tgcmd] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Washer] c:\Program Files\Washer\washer.exe /0
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Background Monitor.lnk = C:\Program Files\EPSON\ESM2\STMS.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#15 Bugbatter

Bugbatter

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 939 posts

Posted 21 June 2004 - 08:40 PM

It looks good. Nice work!
Thanks for the compliment, but the credit should go to the guys who develop the software that cleans out these nasty things.

Now that you are totally clean it would not hurt to flush System Restore one more time.

Here's my standard prevention speech:

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
. Windows Update: <http://v4.windowsupd...en/default.asp>

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

3. Download and install the following free programs:
a. SpywareBlaster: http://www.javacools...areblaster.html
b. IE/Spyad: http://www.staff.uiu...es/resource.htm I also would recommend installing:
c. SpywareGuard: http://www.javacools...ywareguard.html
Periodically check for updates.

4. Keep your anti-virus and firewall updated as well as Adaware and Spybot.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
Microsoft MVP - Consumer Security

#16 jackpete

jackpete

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 22 June 2004 - 10:19 AM

Thanks again. Will do.

#17 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 03 August 2004 - 02:19 PM

Glad we could help!

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button