Hijack This Log Thread

Alyeska · Post by **Alyeska** » 2004-10-08 07:01pm

Post all "Hijack This" logs for Einhander Sn0m4n to review.

PLEASE PLEASE PLEASE run AdAware, Spybot Search & Destroy and CWS Shredder (see the G&C board FAQ) and reboot before running HiJackThis! This will greatly assist our volunteers.

Once your problem is resolved, please edit your post by posting "Resolved" and remove the HJ! log to reduce clutter in the thread - Phong

Psycho Smiley · Post by **Psycho Smiley** » 2004-10-08 08:57pm

EDIT: Thanks!

Mayabird · Post by **Mayabird** » 2004-10-08 09:47pm

<snip> Resolved

Thanks Alyeska for the sticky, and thanks Einy in advance. This is my first scan, and I don't know what all this is supposed to be. (I'm guessing that the IE stuff needs to die, but I can't just uninstall the entire damn thing because some of my class websites require it to view things.

)

darthdavid · Post by **darthdavid** » 2004-10-08 11:08pm

http://download.weatherbug.com/minibug/ ... taller.cab
Get rid of this right now maya. And anything else with weatherbug in it. It's deamon spawn.

Datana · Post by **Datana** » 2004-10-09 02:25am

Haven't done this in a while -- Ein usually beats me to the punch here. These are based off of a reading of Mayabird's log. I've split these into essential, nonessential, and optional entries. As Weatherbug is involved, please uninstall that and scan with CWShredder, AdAware and Spybot S&D before purging these to make sure your tcpip.sys or hosts file haven't been compromised -- some spyware put hooks into those that a simple Registry purging won't fix.

Kill these wrote:O3 - Toolbar: (no name) - {9F6A22E6-1682-4F82-9B72-6314794CB253} - (no file)
(Invalid entry. Kill it just for bookkeeping's sake.)
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/ ... taller.cab
(You should uninstall Weatherbug entirely. While useful in the past, it's become spyware-ridden and isn't worth the trouble anymore.)
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{16478782-CA26-44CC-BE3F-497F10BC6177}: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{B72E3E19-742E-46AE-B933-5B277216D794}: NameServer = 130.207.52.144,130.207.244.251
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CS1\Services\Tcpip\..\{16478782-CA26-44CC-BE3F-497F10BC6177}: NameServer = 69.57.146.14
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CS2\Services\Tcpip\..\{16478782-CA26-44CC-BE3F-497F10BC6177}: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14
(The above mess is a hijack to route DNS requests through mydomain.com. These are installed as part of an ActiveX browser hijack, based on the 69.57.146.14 address specified here (which is part of a known (and semi-recently fixed) IE exploit). As always, avoid usage of IE unless necessary, which you already seem to know.)

May cause problems if left wrote:O4 - HKLM\..\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
(This program is used to update Windows Media Player as well as respawn its desktop icon. It's sometimes known to cause problems, especially when it gets corrupted. In most cases, you can safely disable it (but if you use WMP extensively, you can probably leave it alone).)

Reduces clutter wrote:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS13
(Altavista sidebar; you can keep this if you use it.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us5.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us5.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us5.hpwis.com/
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
(Unless you use the HP toolbar, these entries can probably go. Most of these, however (the ones starting with R1), are just sidebar ads and can probably be disposed of regardless.)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
(You should probably uninstall Real and Quicktime and install Real Alternative and Quicktime Alternative instead -- they have a smaller memory footprint, especially for Real Alternative.)

Datana · Post by **Datana** » 2004-10-09 02:36am

Psycho Smiley wrote:Don't think I have any major problems, but what can I kill?

While

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

hogs resources and you can replace Quicktime with QA, it looks to be pretty clean. The changed nameserver entries appear to be a required part of connecting to your university network (University of New Brunswick, right?), so can be left alone.

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2004-10-09 04:10am

Wau, looks like this thread's gonna be a popular tourist attraction soon

I better get some blunt wraps and a ton of [###Censored by the U.S Drug Enforcement Administration###]. Anyways...

New Hijackthis Version Here. 1.98.2

http://www.tomcoyote.org/hjt/

Ace Pace · Post by **Ace Pace** » 2004-10-09 04:44am

Einhander Sn0m4n wrote:Wau, looks like this thread's gonna be a popular tourist attraction soon I better get some blunt wraps and a ton of [###Censored by the U.S Drug Enforcement Administration###]. Anyways...

New Hijackthis Version Here. 1.98.2

http://www.tomcoyote.org/hjt/

Whats new about it?

Mayabird · Post by **Mayabird** » 2004-10-09 10:01am

Thanks everybody.

EDIT: Umm, now I have a serious problem here. For some reason, the only website I can access is this one. AIM still works, and I can log on and off here, but I can't do anything else online. No email, no Google, no nothing.

EDIT take 2: Nevermind, I fixed it.

The Aliens · Post by **The Aliens** » 2004-10-09 10:09am

Resolved, thanks! And that log was AFTER SD and AdAware. Four years of IE without a spyware checker will do that to a computer... stupid brother.

Datana · Post by **Datana** » 2004-10-09 01:56pm

The Aliens: The files needed for Internet access (like tcpip.sys) are definitely compromised by spyware. You'll have to run Spybot S&D and AdAware (maybe CWShredder for good measure) to clean those off before proceeding, or you might lose Internet access when you start killing stuff. Also, upgrade to HijackThis! 1.98.2 if you make any future logs. When that's done, do the following (some of these entries should have been removed by the earlier scans, so just remove what's left):

Kill these processes before proceeding wrote:C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\WINDOWS\SYSTEM\SSBASED.EXE
(These are spyware processes usually included with player software like PromulGate or P2P software like Kazaa. They will spawn spyware to replace what you kill unless terminated first.)

Kill these wrote:R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
O2 - BHO: C:\WINDOWS\LBBHO.DLL - {00A867C0-10B2-11D9-8CED-444553540000} - C:\WINDOWS\LBBHO.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [SSBASED] C:\WINDOWS\SYSTEM\SSBASED.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

Strongly recommended to remove wrote:O4 - Startup: iMesh.lnk = D:\Marc's Stuff\imesh\iMeshClient.exe
(iMesh is likely the source of your infection, coming loaded with several pieces of spyware. If you can find a "clean" version (like KaZaA Lite for Kazaa), it would be best, as otherwise, you'll just keep getting re-infested. Kill this entry and do not run the client in the future.)

Possibly not an infection wrote:F1 - win.ini: load=ptsnoop.exe
(ptsnoop.exe is the name of both a type of spyware and the modem driver for PCTel modems. Both add an entry to win.ini to execute, so I can't tease out which is which based on the log. Recommend you scan your system with other software first to find out which it is, though I suspect it's spyware (given you have either a Shark Multimedia or Motorola-based modem, judging by some of the other preloaded software on your system).)

Not important, but frees up resources wrote:O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
(The Office preload stuff doesn't really help Office's load speed at all, and FindFast slows your drive access speed with its constant indexing. Kill these to speed things up slightly.)

KhyronTheBackstabber · Post by **KhyronTheBackstabber** » 2004-10-09 06:22pm

My turn.

Logfile of HijackThis v1.98.2
Scan saved at 5:15:34 PM, on 10/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPHMON05.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\SYSTEM\HPHMON05.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/ ... rbiter.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/adobe/ ... index.html
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

Datana · Post by **Datana** » 2004-10-09 07:23pm

KhyronTheBackstabber: As always, start off with a CWShredder scan, as HijackThis! can't spot CWS very effectively. Looks like you've already run the automated removal tools, however, as there isn't much to be removed from your system and only traces of spyware left.

Certainly, there's more than a fair bit of what I'd consider cruft, but nothing much that's malicious. I'll assume that you know what you're doing and leave those entries out of the list. If you're curious, I'll lay them out, but you can leave most in place for now. I'd just recommend replacing Real Player, as it's a RAM hog.

Kill these wrote:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.225.176.5/
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - (no file)

Datana · Post by **Datana** » 2004-10-09 07:39pm

At this point, maybe I should lay out a few basic steps to take before posting HJT! logs, if the mods will allow it. This will reduce repetition of instructions by those of us reading logs and streamline the removal process.

1. Scan your system first with automated removal tools. AdAware and Spybot S&D are good places to start. Each program, however, is limited in what it can remove, so use both.

2. Finish up with CWShredder to remove CoolWebSearch (if present), which is a program that HJT! has difficulties detecting and the other programs are unable to remove. If you can't run CWShredder (it gets closed each time you start it), rename the executable and try again (CoolWebSearch shuts CWShredder down on detection, so if you change the name of the program, it won't see it). As a last resort, this tool is supposed to disable CoolWebSearch's self-protection so you can kill it.

3. Use the most recent version of HijackThis! available. Ein already posted a link with the most recent version as of this writing.

4. Create and post your log here. Someone will be along to deal with what's left shortly.

KhyronTheBackstabber · Post by **KhyronTheBackstabber** » 2004-10-09 08:09pm

Datana wrote:Snip

Thanks. I found some shit earlier that I got rid of, and wanted to make sure I got everything.

Soontir C'boath · Post by **Soontir C'boath** » 2004-10-11 11:10am

Relatively short, but I don't recognize some stuff listed and I didn't see them in the other logs posted here.
Edit: I have done the prerequisites; Spybot, Ad-aware, virus scan, CWS Shredder, the whole shabang.

Edit #2: Thank you, Datana.

Edit #3: Resolved.

Datana · Post by **Datana** » 2004-10-11 11:37am

Soontir C'boath: You're clean. Most of the entries that don't match up with everyone else's are part of EZ Antivirus's preload, which no one else to this point has used (I see mostly Norton and AVG).

Darth Mall · Post by **Darth Mall** » 2004-10-13 09:30pm

Edit: Thank you much.

Well i think I have a clean comp, but i've gotten some wierd sp2 security centre lookalike popups from ie (even though I use mozilla) I thought it might be best to post a log.

Many Thanks

Datana · Post by **Datana** » 2004-10-13 11:42pm

Darth Mall: Two pieces of immediately removable spyware on your system. Limeshop, a third piece of adware, is an integral part of Limewire and both serves up ads and redirects all visits to Limewire "partner" sites into Limewire referrals. I only see the stub to its config screen (O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm), however, so it might already be gone if you followed my earlier instructions.

Kill these wrote:O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

Clean these up wrote:O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
(These are leftover bits of other programs. They don't help or hurt performance, but I like to keep a system's Registry clean.)

Tech^salvager · Post by **Tech^salvager** » 2004-10-18 10:07am

I recomned that you run them in Safemode!

Companion Cube · Post by **Companion Cube** » 2004-10-22 04:29am

Would appreciate some feedback on this.

Some stuff here looks a wee bit suspicious to my untrained eye. I've run the prerequisites, Spybot S&D, Ad-Aware, and CWShredder.

Logfile of HijackThis v1.98.2
Scan saved at 09:27:39, on 22/10/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\shch.exe
C:\WINDOWS\System32\system32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\C&C\Halo Movies\hijackthis\HijackThis.exe
C:\Program Files\mozilla.org\Mozilla\mozilla.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btbroadbandstart.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/e ... efault.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/e ... efault.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [Sygate Personal Firewall] system32.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\RunServices: [Sygate Personal Firewall] system32.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall] system32.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {067D7797-04FC-42B1-92DB-81FC6CD318FD} (Dlctrl) - http://www.eingang69.de/EroticAccess/ocx/dlctrl.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.inf ... taller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/app ... OFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://www.tukati.com/software/4/1.7.20.20/tukati.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B82AA9EC-F27A-4307-8648-917C84CF1343}: NameServer = 194.74.65.69 194.72.9.38

Praxis · Post by **Praxis** » 2004-10-23 05:04pm

Logfile of HijackThis v1.98.2
Scan saved at 2:04:03 PM, on 10/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
D:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Dynu Systems\Enterprise Server\esconfig.exe
D:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
D:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\RUNDLL32.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
D:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\mysql\bin\winmysqladmin.exe
D:\Program Files\Dynu Systems\Enterprise Server\dynuftp.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server\appsrv\PhotoAppSrv.exe
D:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
D:\Program Files\AIM\aim.exe
D:\PROGRA~1\MOZILL~1\MOZILL~1.EXE
D:\Apache\Apache.exe
D:\Apache\Apache.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Mozilla FireFox\firefox.exe
C:\DOCUMENTS AND SETTINGS\MARINO\MY DOCUMENTS\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: 3DNA Toolbar - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - C:\WINDOWS\system32\3DNATO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Dynu Enterprise Server Manager] D:\Program Files\Dynu Systems\Enterprise Server\esconfig.exe -hide
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\RunOnce: [AAW] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /M "Stylus C84" /EF "HKCU"
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Mwq3RRi7U] wshend.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Shortcut to Apache.exe.lnk = D:\Apache\Apache.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = D:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Marino\Application Data\Mozilla\Firefox\Profiles\default.wy5\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Marino\Application Data\Mozilla\Firefox\Profiles\default.wy5\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b27571.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b27571.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab28177.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab27571.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab

Anyone?

Captain tycho · Post by **Captain tycho** » 2004-10-23 06:09pm

Logfile of HijackThis v1.97.7
Scan saved at 6:05:27 PM, on 10/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\xp user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7157652609
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EF620B-A1E3-47B8-B7A6-DE061A620215}: NameServer = 209.143.0.10 209.143.22.182

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2004-10-23 06:30pm

The List wrote:Logfile of HijackThis v1.98.2 <== Good, Latest Version.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople <== Set to Google if you want.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople <== Set to Google if you want.
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll <== OPTIONAL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll <== You have AVG installed and running. OPTIONAL BUT RECOMMENDED KILL
O3 - Toolbar: 3DNA Toolbar - {2ECB7FB2-0333-416F-92FD-4904AD49252B} - C:\WINDOWS\system32\3DNATO~1.DLL
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe <== WTF is this Sony Vaio crap? I recommend a trimming.
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe <== GAIM or Trillian works good too. You may choose to keep this however.
O4 - HKLM\..\Run: [Dynu Enterprise Server Manager] D:\Program Files\Dynu Systems\Enterprise Server\esconfig.exe -hide
O4 - HKLM\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" <== Gaim and Trillian are superior. Even MSN messenger is better. Keep if you like however.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime <==Quicktime Alternative is better
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain <== KILL!
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe <== Redundant with AVG installed. Your Choice.
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe <== KILL THIS AOL SPYWARE PIECE OF SHIT NOW!
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe <== OPTIONAL KILL
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe <== Again, Redundant with AVG installed. Remember to uninstall McAfee from Add/Remove if you choose to remove it.
O4 - HKLM\..\RunOnce: [AAW] "D:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1" <== GOOD! DO NOT KILL!
O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl <== GAIM or Trillian works good too. You may choose to keep this however. Possible Source of Viewpoint Infection.
O4 - HKCU\..\Run: [MessengerPlus3] "D:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart <== GAIM or Trillian works good too. You may choose to keep this however.
O4 - HKCU\..\Run: [Mwq3RRi7U] wshend.exe <== KILL!
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background <== WTF? MSN+ _AND_ MS MSGR? Ok... I think you'll like Trillian.
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = D:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe <== OPTIONAL KILL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll <== OPTIONAL KILL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE <== OPTIONAL KILL
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE <== OPTIONAL KILL
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople <== RECOMMENDED KILL
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mci ... insctl.cab <== OPTIONAL KILL
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcg ... cgdmgr.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab <== OPTIONAL KILL

[/quote]

Einhander Sn0m4n · Post by **Einhander Sn0m4n** » 2004-10-23 06:36pm

Captain tycho wrote:Logfile of HijackThis v1.97.7 <== PLEASE GET THE NEW HJT http://209.133.47.12/~merijn/files/HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp <== OPTIONAL KILL
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp <== OPTIONAL KILL
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll <== OPTIONAL KILL
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe <== OPTIONAL KILL
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1 <== KILL, then try these
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm <== OPTIONAL KILL
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU) <== Kill
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0EF620B-A1E3-47B8-B7A6-DE061A620215}: NameServer = 209.143.0.10 209.143.22.182