Jump to content


Photo

pop ups, favorites, new tool bars OH MY!


  • Please log in to reply
10 replies to this topic

#1 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 June 2004 - 09:54 PM

Okay first it started with alot of anoying pop ups I ran spybot, ad-aware, spyblaster and CW shreder. they picked up hundreds of things. thought I got rid of it though. come home get onto the internet and all theses favorites get saved on my desk top and favorites pull down and I got "search bar" instaled on the botom of my screan as well as whenusearch and clocksync instaled under programs. this is worse than anything i've had before.

Logfile of HijackThis v1.97.7
Scan saved at 10:45:13 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\documents and settings\matthew\local settings\temp\aJJQ06.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MProcessor\mprocessor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\TEMP\Rem1.exe
c:\ClrSchP072.exe
C:\WINDOWS\System32\dp-him.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\WINDOWS\System32\msglifff.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINDOWS\System32\ddecntra.exe
C:\WINDOWS\System32\dgrrdsvr.exe
C:\WINDOWS\System32\PmbcJ.exe
C:\WINDOWS\System32\Ecic2.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\PROGRA~1\WHENUS~1\Search.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O2 - BHO: (no name) - {DAFA6C74-B4CC-B276-A839-DED4718F0811} - C:\PROGRA~1\STUPID~1\32 ANTI.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Win grim - {B89FADC5-F1CA-B81A-C264-EA04E040F83C} - C:\PROGRA~1\STUPID~1\32 ANTI.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [aJJQ06] C:\documents and settings\matthew\local settings\temp\aJJQ06.exe
O4 - HKLM\..\Run: [Active debug] C:\PROGRA~1\BASHPOLLCURB\Refdownload.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\LvtC.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\Matthew\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [icyxtaloia] C:\WINDOWS\System32\msglifff.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [472i3Fg] ddecntra.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [LwtsRPM9e] dgrrdsvr.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

please help this stuff sucks

#2 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 20 June 2004 - 02:09 PM

Hello DIGIWIBBS.

As you said, you do have some problems.

You have both Peper and Wintools, so let's take care of them first.

What concerns me is that Ad-Aware now targets both Peper and Wintools and both are found in your HJT log. So, it looks like the version you are using is out of date. A simple update for Ad-Aware is all that is required. Please update and run it again.



Spybot S&D is now up to version 1.3 ,so a new download is required,since the version you appear to have is no longer updatable. Please go to the following url and download Spybot S&D 1.3.

http://www.safer-net...hp?page=mirrors

Then please run Spybot S&D again.

Next:
Choose one of these, they are online virus scanners,
run one of them and have them fix anything they find.

Panda
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro
http://housecall.trendmicro.com/housecall/start_corp.asp

Next:
Go to the following url and get an online Trojan scan.

http://scan.sygatete...trojanscan.html



Then, please run Hijack this again and post a fresh log here.
Mad Max

#3 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 21 June 2004 - 02:15 AM

hey Max thanks for getting back to me. I did what you said, but I think I'm still having some problems. Here is my new log:
Logfile of HijackThis v1.97.7
Scan saved at 3:09:15 AM, on 6/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common files\WinTools\WSup.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 21 June 2004 - 09:39 PM

Hi DIGIWIBBS.

Like you said, you do still have some problems, but amazingly few.


You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the old copy of hijackthis that you have on your desktop.



I still see Wintools in your log. An updated Ad-Aware should have taken care of that, but since it didn't, we'll just have to do it ourselves.

Go to START>RUN then type "services.msc"(no quotes) in the Run box.Then
DISABLE Wintools, or any variation, (WToolsA) etc.that may be present.


Then go to Add/Remove Programs and REMOVE all instances or variations of Wintools. The rest, we'll take care of with HJT,if it is still hanging around.

While still in Add/Remove programs, look for any entries for Virtual Bouncer and Remove that also.

Next:
Close all open Windows and browsers and run Hijack This again and place a check next to each item listed below and press fix. Note that some may be missing due to something else we have done.

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe

-----------------------------------------------------------------------------

Below are user optional items, that can be fixed with HJT, or left on your system,your choice.



O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
BroadJump Client Foundation. Broadband troubleshooting software installed by various companies. Not required and you can remove it via Add/Remove programs

O4 - HKLM\..\Run: [CARPService] carpserv.exe
Associated with Zoltrix modems - enables the internal modem speaker, allowing you to listen to the dial-up sounds for example


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
Allowing HJT to fix will simply prevent it from starting at boottime and can be started manually if needed.

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
Windows Messenger utility. If you don't use Windows Messenger, this can be annoying. Available via Start -> Programs. Go to Windows Messenger > Tools > Options > Preferences and uncheck "Run this program when Windows starts"


Then reboot into safe mode, you may have to enable hidden files and folders. Delete the following Folders/Files shown as dark:
Some may not be present, due to being deleted by something else we did.

C:\Program Files\Common files\WinTools\WToolsA.exe

C:\Program Files\VBouncer\VirtualBouncer.exe


Then, please run Hijack This again and post a fresh log here, to see if we need to do more.
-----------------------------------------------------------------------------


For your Protection - It is suggested that you download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.staff.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see
So how did I get infected in the first place?
Mad Max

#5 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 June 2004 - 05:45 PM

hey I followed your directions and i'm still getting these pop ups and stuff and I can tell there is things in the hijack log which i definitely fixed, like virtual bouncer. I keep getting that every time I run Ad-aware too. could I have some kind of Trojan opening all this adware, cause I remember durring the Panda Scan there was one that couldn't be fixed. any way here's my new log Logfile of HijackThis v1.97.7
Scan saved at 6:38:38 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\BASHPO~1\Refdownload.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew\Local Settings\Temp\Temporary Directory 22 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...B_PVER}&ar=home
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Win grim - {B89FADC5-F1CA-B81A-C264-EA04E040F83C} - C:\PROGRA~1\STUPID~1\32 ANTI.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Active debug] C:\PROGRA~1\BASHPO~1\Refdownload.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ist service uninstall] C:\WINDOWS\mstasks2.exe /u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

I appreciate the help man

#6 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 25 June 2004 - 05:20 PM

DIGIWIBBS;


Your log seems to be changing oddly and that usually means you are either switching between profiles on your computer, you are editing the log at times or you are disabling and reenabling items in msconfig... Please explain if any of these options apply or what is happening if they don't. We can't fix this unless the platform we are working with is stable. This means that you need to stay in the same profile until we get it sorted out and all items need to be enabled in msconfig.
Mad Max

#7 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 26 June 2004 - 10:13 AM

I may have deleted some suspicious items in the log over the course of posting and I keep running the spyware removal programs but that's it.
I appologize if that's made things difficult. I keep getting these pop ups were i shouldn't and my default home page just is not there in internet options. but I have not had any new programs or favorites instaling themselves. I recently ran the trend micro virus scan and there were alot of trojans i don't know maybee they are the problem.

here's my latest log:
Logfile of HijackThis v1.97.7
Scan saved at 11:11:38 AM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\PROGRA~1\BASHPO~1\Refdownload.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\ipan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\mfcdx32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew\Local Settings\Temp\Temporary Directory 26 for HijackThis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Matthew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Matthew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Matthew\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Matthew\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Matthew\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Matthew\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {84B24A78-E175-AED1-512C-CFF226F9C0DB} - C:\WINDOWS\system32\ntuj.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [Active debug] C:\PROGRA~1\BASHPO~1\Refdownload.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ipan.exe] C:\WINDOWS\ipan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Thanks man I appreciate the help.

#8 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 27 June 2004 - 06:30 PM

DIGIWIBBS; Your most recent log has a new and even more destructive infection.
The fix for this particular CWS Variant requires your machine to be totally clear of all other infections before the fix is able to be used. What I would ask you to do is as follows.

Please print this, so you will have these instructions to refer to.

I would suggest you use the following link to get another Trojan Scan and let it fix what it suggests.
http://scan.sygatete...trojanscan.html

Next:
Go to Ad-Aware:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Reconfigure Ad-Aware for Full Scan:
Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.
Run Ad-Aware and allow it to remove everything it finds and then REBOOT to allow it to finish.

Next:
You have moved Hijack This from your Desktop,but instead of moving it as I suggested, to your my Documents Folder, you moved it to a temporary folder, where the files can be easily lost. Please follow my previous suggestion as to where to move the HJT files, so the backups will be secure.
Failing to do so could cause serious problems,should you need to replace a deleted file and no backups are available. You really don't want that.

Next:
Please run Hijack This and
Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browsers and all Explorer windows are closed before fixing.

Note that some may not be here due to being removed by a previous action.

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Active debug] C:\PROGRA~1\BASHPO~1\Refdownload.exe
O4 - HKLM\..\Run: [ipan.exe] C:\WINDOWS\ipan.exe

Next, make sure you have Set Windows to show Hidden Files & Folders, then reboot into safe mode and find then delete the following in bold:
Be sure to first close all open Windows and browsers.


C:\PROGRA~1\BASHPO~1\Refdownload.exe
C:\WINDOWS\ipan.exe

Then, run Hijack This and post a fresh log here.

After posting the log, please do not surf the internet. We will check your log as quickly as possible and reply to you with further recommendations.
This is necessary because the fix for the variant of CWS infecting your machine will not work if any other infections are present and if you surf the net before completing these tasks as outlined you are sure to pick up additional infections.
Thank you for your continued cooperation.

Mad Max

#9 DIGIWIBBS

DIGIWIBBS

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 30 June 2004 - 08:29 AM

Alright I followed your directions and I think I got HJT in the right folder now. The Trojan scan found something but I don't think it actualy removed anything. I still got some of these pop ups comming to this site. Any way Here's my new log:

Logfile of HijackThis v1.97.7
Scan saved at 9:20:17 AM, on 6/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Matthew\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-aware.exe" +c
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ipan.exe] C:\WINDOWS\ipan.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell...t/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

and thanks again for the help.

#10 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 01 July 2004 - 01:02 PM

DIGIWIBBS;
SORRY, NEW INFORMATION --THIS FIX WILL NOT WORK FOR THIS VARIANT OF CWS. STAND BY FOR ADDITIONAL POST.


Next:
You might try the Google Toolbar for those popup problems. Take the time to configure it properly and it works great. It practically dissapears into your Windows toolbar and has a built in search window, which you will find is very handy when researching logs. Welcome to Boot Camp.
You might also like to try HJT Hotkeys.Find it at Net Integration.See link.
http://forums.net-integration.net/ Just got it myself.

Next:

Could you check the properties on this one and let us know what it says.
O4 - HKLM\..\Run: [ipan.exe] C:\WINDOWS\ipan.exe

To check a files properties, you Right click on the file and select "Properties". This will sometimes give you information such as the size, attributes,version number and often the maker.
From this you can often determine if it is good. If it doesn't tell you who made it and you can't find it in Google, it is probably bad.

Next:
Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browsers and all Windows Explorer windows are closed before fixing.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Then, run Hijack this and send a new log here to see if we need do anything further and to tell us of any problems you may be having.

Edited by Mad Max, 01 July 2004 - 03:26 PM.

Mad Max

#11 Mad Max

Mad Max

    SWI Junkie

  • Full Member
  • PipPipPipPip
  • 304 posts

Posted 01 July 2004 - 09:29 PM

DIGIWIBBS;Lets go with this fix for the CWS. It is what a resident expert recommends. Seems CWShredder has been updated to hopefully fix this variant.

Please Download CWShredder from this link, then WITHOUT FAIL, UPDATE IT. HERE and run the Program. Press the "Fix Button". Let it fix all variants.

Next:
You might try the Google Toolbar for those popup problems. Take the time to configure it properly and it works great. It practically dissapears into your Windows toolbar and has a built in search window, which you will find is very handy when researching logs. Welcome to Boot Camp.
You might also like to try HJT Hotkeys.Find it at Net Integration.See link.
http://forums.net-integration.net/ Just got it myself.

Next:

Could you check the properties on this one and let us know what it says.
O4 - HKLM\..\Run: [ipan.exe] C:\WINDOWS\ipan.exe

To check a files properties, you Right click on the file and select "Properties". This will sometimes give you information such as the size, attributes,version number and often the maker.
From this you can often determine if it is good. If it doesn't tell you who made it and you can't find it in Google, it is probably bad.

Next:
Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browsers and all Windows Explorer windows are closed before fixing.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Then, run Hijack this and send a new log here to see if we need do anything further and to tell us of any problems you may be having.
Mad Max




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button