Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problem with "Searchforfree" malware [resolved]

Started by killallmalware , Apr 11 2005 08:18 PM

  • This topic is locked This topic is locked

#1
killallmalware
Posted 11 April 2005 - 08:18 PM

killallmalware

    New Member

  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:06:16 PM, on 4/11/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\mcbin\av\rt\asengine.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
C:\WINNT\system32\lexmvservice.exe
C:\WINNT\system32\lexwebservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\tioga\Client\bin\tgcmd.exe
C:\WINNT\System32\Tdevdetect.exe
C:\WINNT\dslaunch.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\msvcmm32.exe
C:\WINNT\system32\winldra.exe
C:\WINNT\system32\nvdsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spyware Protection\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchforfree.info/browser/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchforfree.info/browser/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchforfree.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://searchforfree.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchforfree.info/browser/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://searchforfree.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchforfree.info/browser/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://searchforfree.info/browser/
F3 - REG:win.ini: run=C:\WINNT\htmlsync.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.ans...eam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [isystem] C:\WINNT\system32\isystem.exe
O4 - HKLM\..\Run: [load32] C:\WINNT\system32\winldra.exe
O4 - HKLM\..\Run: [C:\WINNT\system32\nvdsvc32.exe ] C:\WINNT\system32\nvdsvc32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [ldriver] C:\WINNT\system32\ldriver.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
O4 - Global Startup: j2 Live Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Cenlpdstatus.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow...Control_3_0.CAB
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1EE9EB77-3890-42BA-B9E9-4CFAC940D44B}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD276B2B-1070-4B87-A94D-45C1E5AEA7D7}: NameServer = 205.214.51.16,205.214.45.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solidsource.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{1EE9EB77-3890-42BA-B9E9-4CFAC940D44B}: NameServer = 208.57.0.11,208.57.0.10
O17 - HKLM\System\CS2\Services\Tcpip\..\{1EE9EB77-3890-42BA-B9E9-4CFAC940D44B}: NameServer = 208.57.0.11,208.57.0.10
O21 - SSODL: TETcqsmnI - {184214D6-B2E8-BE7C-A5C2-C38C55B70D3D} - C:\WINNT\system32\bcc.dll
O23 - Service: McAfee.com AV Engine (AsEngine) - Network Associates, Inc. - C:\WINNT\mcbin\av\rt\asengine.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CenLPD - Unknown owner - C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINNT\system32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINNT\system32\lexwebservice.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE


I have run all of the recommended tools (which removed a number of other malware) and have even used HijackThis to remove the files with reference to "Searchforfree", but whenever my computer reboots the homepage has been replaced by searchforfree.info and the files reappear.

Any assistance in solving this problem would be appreciated.
  • 0

Advertisements

#2
coachwife6
Posted 14 April 2005 - 09:31 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi K.A.M. Welcome to GTG. :tazz: Did you get this fixed or do you still need help? If so, please run another log and I'll get after it right away. ;)
  • 0

#3
killallmalware
Posted 18 April 2005 - 11:40 AM

killallmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thank you for your reply. To answer your question, I'm not sure if I have solved the problem yet. I saw the directions posted on GTG for another similar post and used my best guesswork to modify them for Win2000. This has gotten rid of the main symptoms (my homepage does not default to Searchforfree, even after reboots), but I notice that my computer is constantly accessing the hard drive and running a bit slow. I'm not sure if this is due to the malware, the scanning and protection programs I loaded (those that were recommended by GTG), or something else. In any case, here is my current HijackThis log....

Logfile of HijackThis v1.99.1
Scan saved at 10:33:46 AM, on 4/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\mcbin\av\rt\asengine.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
C:\WINNT\system32\lexmvservice.exe
C:\WINNT\system32\lexwebservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\tioga\Client\bin\tgcmd.exe
C:\WINNT\dslaunch.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\system32\msvcmm32.exe
C:\WINNT\System32\Tpwricon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Spyware Protection\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.yahoo...t/USCA0638.html
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.ans...eam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
O4 - Global Startup: j2 Live Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: j2 Tray Menu 3.3.lnk = C:\Program Files\j2 Messenger Plus 3.3\J2GTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Cenlpdstatus.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow...Control_3_0.CAB
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solidsource.com
O21 - SSODL: TETcqsmnI - {184214D6-B2E8-BE7C-A5C2-C38C55B70D3D} - C:\WINNT\system32\bcc.dll
O23 - Service: McAfee.com AV Engine (AsEngine) - Network Associates, Inc. - C:\WINNT\mcbin\av\rt\asengine.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CenLPD - Unknown owner - C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINNT\system32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINNT\system32\lexwebservice.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
  • 0

#4
coachwife6
Posted 19 April 2005 - 02:23 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
This one looks kind of funny to me.

O4 - Global Startup: Cenlpdstatus.exe

Do you know what it is?
  • 0

#5
killallmalware
Posted 19 April 2005 - 11:30 PM

killallmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
No, I don't know what that is. It has been present for as long as I remember as a running process (I don't believe it recently appeared concurrent with the slowdown of my computer), but I'm not clear on exactly how long it has been since it appeared and whether there is any correlation with my computer having problems.
  • 0

#6
killallmalware
Posted 19 April 2005 - 11:38 PM

killallmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
When I Googled cenlpdstatus.exe, I came across a post on Spyware Warrior Forum from someone having trouble with stopguard.com and popups with exactly the same line. Unfortunately, there was no information on whether cenlpdstatus.exe was malware.
  • 0

#7
coachwife6
Posted 20 April 2005 - 02:53 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Thanks. I just wanted to make sure this wasn't a program you installed. I will be away today but will try to look at it later tonight.
  • 0

#8
coachwife6
Posted 21 April 2005 - 09:56 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Do you have McAfee on your system or did you run it at one time or another? I see you also have AVG. You shouldn't run both, unless McAfee is your firewall. Please uninstall one of them. If Mcafee has lapsed and you haven't updated it and haven't paid for it, either pay to renew or uninstall it.

What is Sam Spade? I had another log with some problems on it. It had something to do with their ISP.

Do you have a lexmark printer - anything Lexmark?

Only run the following fix if you are getting rid of McAfee. If you are keeping McAfee, hold off and let me know.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\WINNT\mcbin\av\rt\asengine.exe
C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Cenlpdstatus.exe
Exit the Task Manager when finished.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll<<check these for now until we get it fixed. It may interfere with fixing.

O4 - Global Startup: Cenlpdstatus.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll

O21 - SSODL: TETcqsmnI - {184214D6-B2E8-BE7C-A5C2-C38C55B70D3D} - C:\WINNT\system32\bcc.dll

O23 - Service: McAfee.com AV Engine (AsEngine) - Network Associates, Inc. - C:\WINNT\mcbin\av\rt\asengine.exe
O23 - Service: CenLPD - Unknown owner - C:\Program Files\Century\TinyTERM\NetUtils\Cenlpd.exe[/B]

Click on Fix Checked when finished and exit HijackThis.

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINNT\mcbin\av\rt\asengine.exe
C:\Program Files\Century\<<entire folder
C:\Documents and Settings\All Users\Start enu\Programs\Startup\Cenlpdstatus.exe
C:\WINNT\system32\bcc.dll


Please scan your system with Ad-aware:
Ad-aware SE - Download - Home Page
  • If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
  • After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
  • Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
  • Once the definitions have been updated:
  • Reconfigure Ad-Aware for Full Scan as per the following instructions:
    • Launch the program, and click on the Gear at the top of the start screen.
    • Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
      • "Automatically save logfile"
      • Automatically quarantine objects prior to removal"
      • Safe Mode (always request confirmation)
      • Prompt to update outdated confirmation) - Change to 7 days.
    • Click the "Scanning" button (On the left side).
    • Under Drives & Folders, select "Scan within Archives"
    • Click "Click here to select Drives + folders" and select your installed hard drives.
    • Under Memory & Registry, select all options.
    • Click the "Advanced" button (On the left hand side).
    • Under "Shell Integration", select "Move deleted files to Recycle Bin".
    • Under "Log-file detail", select all options.
    • Click on the "Defaults" button on the left.
    • Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
    • Click the "Tweak" button (Again, on the left hand side).
    • Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
      • "Unload recognized processes during scanning."
      • "Obtain command line of scanned processes"
      • "Scan registry for all users instead of current user only"
    • Under "Cleaning Engine", select the following:
      • "Automatically try to unregister objects prior to deletion."
      • "During removal, unload explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot."
      • "Delete quarrantined objects after restoring"
    • Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
    • Click on "Proceed" to save these Preferences.
    • Click on the "Scan Now" button on the left.
    • Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
  • Close all programs except ad-aware.
  • Click on "Next" in the bottom right corner to start the scan.
  • Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
  • After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

If you would please, rescan with HijackThis and post a fresh log in this same topic.


Post back a fresh HijackThis log and we will take another look.
  • 0

#9
killallmalware
Posted 22 April 2005 - 07:05 PM

killallmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I've followed your instructions including removing McAfee. I do have a Lexmark printer. I don't know what Sam Spade is. Below is the HiJackThis logfile after following all the instructions (AdAware found the myDoom worm which I removed). Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 6:00:02 PM, on 4/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\lexmvservice.exe
C:\WINNT\system32\lexwebservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\S3tray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\tioga\Client\bin\tgcmd.exe
C:\WINNT\System32\Tdevdetect.exe
C:\WINNT\dslaunch.exe
C:\WINNT\System32\Tfunckey.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\system32\msvcmm32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~2.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\Spyware Protection\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.yahoo...t/USCA0638.html
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.ans...eam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow...Control_3_0.CAB
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solidsource.com
O21 - SSODL: TETcqsmnI - {184214D6-B2E8-BE7C-A5C2-C38C55B70D3D} - C:\WINNT\system32\bcc.dll (file missing)
O23 - Service: McAfee.com AV Engine (AsEngine) - Unknown owner - C:\WINNT\mcbin\av\rt\asengine.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINNT\system32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINNT\system32\lexwebservice.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
  • 0

#10
coachwife6
Posted 24 April 2005 - 07:10 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You are running AVG and McAfee. That is not good for your computer and will cause many problems. Please uninstall one program.

Please download

ccleaner

Don't run it yet.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O21 - SSODL: TETcqsmnI - {184214D6-B2E8-BE7C-A5C2-C38C55B70D3D} - C:\WINNT\system32\bcc.dll (file missing)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [S3TRAY] S3tray.exe
(Description: S3 configuration taskbar applet. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
(Description: This is the Microsoft MSN Queue Manager. There is disagreement over whether it is spying on you or not. Nevertheless, we suggest you check this entry and remove it. Removing this entry will free up some system resources. more information)

O4 - HKLM\..\Run: [LoadMSvcmm] C:\WINNT\system32\msvcmm32.exe
(Description: Auto-update for Movielink - internet movie rental System Tray access. Removing this entry will free up a small amount of system resources. )


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINNT\system32\bcc.dll

Run ccleaner.

If you want to save your cookies, please remove that option in the cleaning protocol.

Post back a fresh HijackThis log and we will take another look. :tazz:
  • 0

Advertisements

#11
killallmalware
Posted 25 April 2005 - 06:26 PM

killallmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I can't find any trace of McAfee left, other than the annoying Renew dialogue box that appears on every reboot. I have followed all the other instructions - logfile below...

Logfile of HijackThis v1.99.1
Scan saved at 5:20:24 PM, on 4/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\lexmvservice.exe
C:\WINNT\system32\lexwebservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\tioga\Client\bin\tgcmd.exe
C:\WINNT\dslaunch.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINNT\System32\Tfunckey.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\Tpwricon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Spyware Protection\HijackThis1991.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.yahoo...t/USCA0638.html
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.ans...eam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow...Control_3_0.CAB
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solidsource.com
O23 - Service: McAfee.com AV Engine (AsEngine) - Unknown owner - C:\WINNT\mcbin\av\rt\asengine.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINNT\system32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINNT\system32\lexwebservice.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
  • 0

#12
coachwife6
Posted 25 April 2005 - 09:00 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
http://www.samspade.org/

This is listed as the domain as belonging to your ISP or company

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://weather.yahoo...t/USCA0638.html
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O23 - Service: McAfee.com AV Engine (AsEngine) - Unknown owner - C:\WINNT\mcbin\av\rt\asengine.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Post back a fresh HijackThis log and we will take another look.
  • 0

#13
killallmalware
Posted 26 April 2005 - 03:01 PM

killallmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
My ISP is Verizon, so I don't think the SamSpade.org is legitimate.
HiJack This is in a permanent folder and the backups are being saved. The 023 - ... (file missing) line keeps reappearing even when fixed with Hijack This (as you will see in the log below).

Logfile of HijackThis v1.99.1
Scan saved at 1:01:46 PM, on 4/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\lexmvservice.exe
C:\WINNT\system32\lexwebservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\tioga\Client\bin\tgcmd.exe
C:\WINNT\dslaunch.exe
C:\WINNT\System32\Tdevdetect.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\WINNT\System32\Tfunckey.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\Tpwricon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Spyware Protection\HijackThis1991.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.ans...eam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [DeleteTempM3Log] cmd.exe /c del /Q C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\m3log.txt
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow...Control_3_0.CAB
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solidsource.com
O23 - Service: McAfee.com AV Engine (AsEngine) - Unknown owner - C:\WINNT\mcbin\av\rt\asengine.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINNT\system32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINNT\system32\lexwebservice.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
  • 0

#14
coachwife6
Posted 26 April 2005 - 03:36 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
About Sam Spade. Never mind. My bad. ;)


You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\RunOnce: [DeleteTempM3Log] cmd.exe /c del /Q C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\m3log.txt

Click on Fix Checked when finished and exit HijackThis.

Run ccleaner again to get rid of all your temp. files.

Post back a fresh HijackThis log and we will take another look. :tazz: How is it running?
  • 0

#15
killallmalware
Posted 26 April 2005 - 07:46 PM

killallmalware

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
This line was not present when I ran HiJack This...
O4 - HKLM\..\RunOnce: [DeleteTempM3Log] cmd.exe /c del /Q C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\m3log.txt

My computer seems to be performing much better! :tazz:
Thank you for all of your patient help.

Just for my curiosity, what all was wrong with my computer? As far as I could follow, it seems that it had the myDoom worm and at least one spyware on it. Were there more problems than this?

Logfile of HijackThis v1.99.1
Scan saved at 6:34:17 PM, on 4/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\lexmvservice.exe
C:\WINNT\system32\lexwebservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\TPWRTRAY.EXE
C:\Program Files\tioga\Client\bin\tgcmd.exe
C:\WINNT\dslaunch.exe
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINNT\System32\Tdevdetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\System32\Tfunckey.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\System32\Tpwricon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINNT\system32\wuauclt.exe
C:\Spyware Protection\HijackThis1991.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TDspOff] Tdspoff.exe B
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TgAddServer] "C:\Program Files\tioga\Client\bin\tgfix.exe" /fds "http://vtsupport.ans...eam.com/global"
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\tioga\Client\bin\tgcmd.exe" /nosystray
O4 - HKLM\..\Run: [tgsetsite] "C:\Program Files\tioga\Client\bin\tgfix.exe" /i /f "C:\Program Files\tioga\client\bin\toshibasup.dna"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\D-Link\D-Link DWL-650 Control Utility\Config.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (WebProgramManager Class) - http://isupport4.hp....SWebManager.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.cinemanow...Control_3_0.CAB
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = solidsource.com
O23 - Service: McAfee.com AV Engine (AsEngine) - Unknown owner - C:\WINNT\mcbin\av\rt\asengine.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MarkVision Server (MvServer) - Unknown owner - C:\WINNT\system32\lexmvservice.exe
O23 - Service: MarkVision Web Server (MvWebServer) - Unknown owner - C:\WINNT\system32\lexwebservice.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP