Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DANGER:SPYWARE Problem[RESOLVED]


  • This topic is locked This topic is locked

#1
lnl4

lnl4

    Member

  • Member
  • PipPip
  • 17 posts
Hello my name is lance and i am sick of not knowing how to fix these problems,so i swollowed my pride and am asking for help. Please help me with this problem-here is the hijack this file;


Logfile of HijackThis v1.98.2
Scan saved at 5:27:39 PM, on 27/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\HOSTDLL.EXE
C:\WINDOWS\SYSTEM\CMD32.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\QDG.EXE
C:\WINDOWS\MSXMIDI.EXE
C:\WINDOWS\SYSTEM\PUWA.EXE
C:\WINDOWS\SYSTEM\BSKCEMTE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\RAR$EX00.529\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tse.com/H...l_12=&x=46&y=20
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {8608E84D-798E-4428-879E-76A2D8A13996} - C:\WINDOWS\SYSTEM\OYDKVG.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Kdo] C:\WINDOWS\Qdg.exe
O4 - HKLM\..\Run: [Aer] C:\WINDOWS\SYSTEM\Qpr.exe
O4 - HKLM\..\Run: [Gfi] C:\WINDOWS\SYSTEM\Gkh.exe
O4 - HKLM\..\Run: [Htg] C:\WINDOWS\SYSTEM\Gkl.exe
O4 - HKLM\..\Run: [Afl] C:\WINDOWS\SYSTEM\Djh.exe
O4 - HKLM\..\Run: [Ofp] C:\WINDOWS\Hma.exe
O4 - HKLM\..\Run: [Lat] C:\WINDOWS\Luq.exe
O4 - HKLM\..\Run: [Mch] C:\WINDOWS\Kpg.exe
O4 - HKLM\..\Run: [Ief] C:\WINDOWS\SYSTEM\Hqe.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
O4 - HKCU\..\Run: [Oore] C:\WINDOWS\SYSTEM\puwa.exe
O4 - HKCU\..\Run: [Vvxmo] C:\WINDOWS\SYSTEM\bskcemte.exe
O4 - HKCU\..\Run: [Kdo] C:\WINDOWS\Qdg.exe
O4 - HKCU\..\Run: [Aer] C:\WINDOWS\SYSTEM\Qpr.exe
O4 - HKCU\..\Run: [Gfi] C:\WINDOWS\SYSTEM\Gkh.exe
O4 - HKCU\..\Run: [Htg] C:\WINDOWS\SYSTEM\Gkl.exe
O4 - HKCU\..\Run: [Afl] C:\WINDOWS\SYSTEM\Djh.exe
O4 - HKCU\..\Run: [Ofp] C:\WINDOWS\Hma.exe
O4 - HKCU\..\Run: [Lat] C:\WINDOWS\Luq.exe
O4 - HKCU\..\Run: [Mch] C:\WINDOWS\Kpg.exe
O4 - HKCU\..\Run: [Ief] C:\WINDOWS\SYSTEM\Hqe.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\\MAIN.MHT!http://toolbarpartne...chm::/frame.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo....cab?refid=4699
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Howdy Lance,Welcome to GeekstoGo!!

Believe me,I know your frustration,been in them Boots before!!

There is a sticky post at the Top of the Forum:
Must Read

These are the Forum Rules,but the Advice given is Right on Target!

Remove the Copy of HijackThis that you have,follow the link above as best you can and Install the Latest Version of HijackThis,make sure to place it in its own Folder just as described!

Post back with a fresh HijackThis Log and we will get to work!
  • 0

#3
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hello again sorry for the delay i just got off night shift. I believe i did everything i was instructed, rebooted my system and still have issues. I will now post my hijackthis log....

Logfile of HijackThis v1.98.2
Scan saved at 4:51:05 PM, on 28/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\HOSTDLL.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PUWA.EXE
C:\WINDOWS\SYSTEM\BSKCEMTE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\REDIR32.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\TEMP\RAR$EX00.373\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://balabolka.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {8608E84D-798E-4428-879E-76A2D8A13996} - C:\WINDOWS\SYSTEM\OYDKVG.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {13D4002D-6D79-4AAA-885B-882A8D167AC0} - C:\WINDOWS\SYSTEM\HIOJ.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [hostdll.exe] C:\WINDOWS\hostdll.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SearchAssistant] "C:\Q92194.exe "
O4 - HKLM\..\Run: [Pbf] C:\WINDOWS\Jfd.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [Oore] C:\WINDOWS\SYSTEM\puwa.exe
O4 - HKCU\..\Run: [Vvxmo] C:\WINDOWS\SYSTEM\bskcemte.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {BDC9F2FB-CB7D-4F63-B571-3883421F7579} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BDC9F2FB-CB7D-4F63-B571-3883421F7579} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {E3B9DCD7-63BC-484C-996B-10F846232AE6} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E3B9DCD7-63BC-484C-996B-10F846232AE6} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {BDC9F2FB-CB7D-4F63-B571-3883421F7579} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BDC9F2FB-CB7D-4F63-B571-3883421F7579} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E3B9DCD7-63BC-484C-996B-10F846232AE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E3B9DCD7-63BC-484C-996B-10F846232AE6} - (no file) (HKCU)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\\MAIN.MHT!http://toolbarpartne...chm::/frame.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {3DA3DED4-7BDB-4CF5-8100-D6DCCA6928E9} - C:\WINDOWS\SYSTEM\HIOJ.DLL
O18 - Filter: text/plain - {3DA3DED4-7BDB-4CF5-8100-D6DCCA6928E9} - C:\WINDOWS\SYSTEM\HIOJ.DLL
  • 0

#4
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Great looks like got some search homepage, that cant be good.
  • 0

#5
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Ok,lets try this,Remove the Copy of Hijackthis that you have Installed on the Machine!

Create a Folder on the Desktop,to do this:

Right Click the Desktop>>>Select New>>>Select Folder>>>Name it whatever you like!

Download HijackThis 1.99.1 to the New folder from Here

Scan and Save a Log!

Please download SpSeHjfix from here and place it in the new folder and unzip the program and Extract All Files!
Dont run it yet!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
Safe Mode

Once in Safe Mode,Open the New folder contaning SpSeHjfix110.exe
All Windows and Browsers must be Closed,Including this one!
Double Click the SpSeHjfix110.exe

When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.


Once rebooted, run SpSeHjfix110 again.

After the second reboot, generate a fresh HijackThis log and post it along with the contents of the second SpSeHjfix log!
  • 0

#6
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok i will do it right now.
  • 0

#7
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hey, right click wont work on my desktop but i can do it other places? so i sent a new folder from my doc to desktop will this do?
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
That will work just fine!!!
  • 0

#9
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Holy crap the longer this goes on the less control of my computer i have, i was just now able to get back online through my email which had a link. I tried the link you told me to get but itdid nothing? Anymore suggestions would help. I really appreciate your help!!!
  • 0

#10
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
search and destroy keeps freezing up on me when it tries to get rid of the problems.
  • 0

Advertisements


#11
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Download Symantecs Tool for the removal of this bug and lets see if it will work
Use This Link to download the Tool:
Removal Tool

Before executing it,Close out all open Windows and Browsers and Disconnect from the Internet!

Read through the Link good before starting!

Save any reports it may list!

Restart in Safe Mode and Run the Tool again just as you did in Nornmal Mode!

Post back with any results and a Fresh HijackThis Log!
  • 0

#12
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Well the scan said i dont have the worm but here is the hijckthis log;

Logfile of HijackThis v1.99.1
Scan saved at 10:49:03 PM, on 29/03/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\BSKCEMTE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINRAR\WINRAR.EXE
C:\WINDOWS\TEMP\RAR$EX00.129\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {8608E84D-798E-4428-879E-76A2D8A13996} - C:\WINDOWS\SYSTEM\OYDKVG.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {BDC9F2FB-CB7D-4F63-B571-3883421F7579} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {BDC9F2FB-CB7D-4F63-B571-3883421F7579} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {E3B9DCD7-63BC-484C-996B-10F846232AE6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E3B9DCD7-63BC-484C-996B-10F846232AE6} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please download Srartdreck from here.

UnZip the startdreck.zip file first.
DoubleClick 'StartDreck.exe'
First click on the config button.
Now click the 'Unmark all' button.
Put a check by these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Now click the Save button to save the log. Go to the StartDreck folder and find the Startdreck.log file.

Copy and Paste the contents of that log back here.

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.
Download,UnZip,Extract All Files and Have it ready to Use!

There is a file that we cant see just yet,The StartDreck Log should provide us the Filename and location!

Once we know that we can get this bugger nailed down!

Post back with the Results!
  • 0

#14
lnl4

lnl4

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi there i appreciate you not giving up on me, here is the startdreck log file.

StartDreck (build 2.1.7 public stable) - 2005-03-30 @ 20:09:46 (GMT -06:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as at HOME COMPUTER

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*BJCFD=C:\Program Files\BroadJump\Client Foundation\CFD.exe
*Lexmark 2200 Series="C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
*LexStart=lexstart.exe
*FaxCenterServer="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
*WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe
*Microsoft Works Update Detection=C:\Program Files\Microsoft Works\WkDetect.exe
*WinampAgent=C:\Program Files\Winamp\winampa.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
*Zone Labs Client="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
*TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
舞unOnce
舞unServices
*SchedulingAgent=mstask.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
翡rowser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
*{8608E84D-798E-4428-879E-76A2D8A13996}
`InprocServer32=C:\WINDOWS\SYSTEM\OYDKVG.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F2BCD=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF6E65=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF8E19=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFE221=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE3851=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE24BD=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
+FFFD00C1=C:\WINDOWS\EXPLORER.EXE
+FFFDD0B1=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFC1195=C:\WINDOWS\TASKMON.EXE
+FFFC4385=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFCE489=C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
+FFF3B679=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFF3B8F9=C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
+FFF3F281=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFF35D61=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFF2337D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF22AC5=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FFF20A85=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFF27581=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
+FFF2AF01=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFF00ACD=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF04CE5=C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
+FFF7A3B9=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF1FD19=C:\WINDOWS\SYSTEM\LEXPPS.EXE
+FFFE3401=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF67FE5=C:\WINDOWS\SYSTEM\BSKCEMTE.EXE
+FFF5D219=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFF5F4ED=C:\PROGRAM FILES\WINRAR\WINRAR.EXE
+FFF58BF5=C:\WINDOWS\TEMP\RAR$EX00.851\STARTDRECK.EXE
翠pplication specific
  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please do not restart the PC!

Go Here,Select Browse,Locate this File:
C:\WINDOWS\SYSTEM\BSKCEMTE.EXE<<< Submit that EXE for a Scan!

Let me know the results of that Scan!

Once you know the results,post a fresh HijackThis Log along with the results!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP