Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware programs


  • Please log in to reply

#1
smarlow816

smarlow816

    New Member

  • Member
  • Pip
  • 4 posts
I have all these programs on my computer that no matter how many times I delete them they always come back. The names are build3.exe, protect.exe, efvefe.exe, efefe.exe, pro2.exe, and ?ttrib.exe. I have run Adaware, Spybot, and AVG, nothing seems to work. Each time they seem to come back in a different spot.

Here is my HijackThis log file.
Logfile of HijackThis v1.99.1
Scan saved at 5:46:18 PM, on 10/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\B50137176\build3.exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\efvefefe.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\efefe.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\B50137176\build3.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CA312AD-8739-ACE7-1A46-D03870329196} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312A4-874C-D8E3-1A32-DB38703C9190} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312AA-874F-AA91-1A3C-DA38734D91E6} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsm73.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {060D72CF-4C8B-6F07-3514-353D1D3FE9A5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - http://activex.micro...jects/ocget.dll
O16 - DPF: {0A0E2096-0F28-4B51-37F8-092E69DBB3C1} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB4E7D6-E50C-7F4B-C38F-173F2DA41C5D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {137DB2F6-584C-6768-8597-6561645E1BC4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1440AA9A-1909-4767-8602-39BA71976B6F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {16E9137A-C116-0E6D-D5B5-08AB60D1CAAA} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1720CF29-C031-1A76-580C-1419404FF09F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1B314856-E33D-64F3-26E6-310E331A5273} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1EE69867-2942-02A3-22D8-2C8D548CBC5A} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {23034BFC-00C3-74CC-170D-2E796DF101B4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {25E33A61-7703-12D4-934F-6210071F45F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {289E453F-F13E-1FCF-F23D-36033ADA6AF5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {32679D35-DE5A-5428-B52A-70192FDA96CC} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {37F348ED-7CC9-4C99-DFA8-79EA29C95263} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {3C0A75AE-3B99-2913-6948-3B3B38128C47} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {43DF012C-0A11-7406-886C-09703BA2FBB4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {44C39123-7897-4241-40EE-424E7BD53A86} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {521CB3E8-CFF5-0D09-5D1E-6BC105D43A62} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {591B573D-C434-6584-82D0-3E727255FB6C} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5A465085-4701-3BCF-41DD-719C6CEF09AF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5B487ACA-3C02-2D47-5DAC-77A407C5CB74} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5C1FB944-6A8C-7A8E-3A8A-1F601C649B85} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F9634F2-49CC-63DE-2975-5F7D4BFF9E28} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111983517993
O16 - DPF: {64A7330B-334A-6245-20F2-34A71F925BD3} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {68F281B2-522F-495F-D958-57C856437BCE} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6AC5A1EF-1B5F-4BBB-11A1-0C5339AFA8F7} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6B231BD6-2ADE-36A5-0C77-220813F87A58} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6DCA4C2A-4C7A-1F25-DE9E-22A36547FD66} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {70A2D654-8E6C-76E7-D1F6-26F866DC584B} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {72D89E1C-B406-7FE2-2CC4-3F7F30777242} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.micro...jects/ocget.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com....at/RSVPChat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CC6D872-6655-4E8A-9094-15A8442422D4}: NameServer = 203.0.178.191
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Please set your system to show
all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\WINDOWS\system32\?ttrib.exe
Exit the Task Manager when finished.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {0CA312AD-8739-ACE7-1A46-D03870329196} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312A4-874C-D8E3-1A32-DB38703C9190} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312AA-874F-AA91-1A3C-DA38734D91E6} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsm73.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)

O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {060D72CF-4C8B-6F07-3514-353D1D3FE9A5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - http://activex.micro...jects/ocget.dll
O16 - DPF: {0A0E2096-0F28-4B51-37F8-092E69DBB3C1} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {0EB4E7D6-E50C-7F4B-C38F-173F2DA41C5D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {137DB2F6-584C-6768-8597-6561645E1BC4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1440AA9A-1909-4767-8602-39BA71976B6F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {16E9137A-C116-0E6D-D5B5-08AB60D1CAAA} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1720CF29-C031-1A76-580C-1419404FF09F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1B314856-E33D-64F3-26E6-310E331A5273} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1EE69867-2942-02A3-22D8-2C8D548CBC5A} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {23034BFC-00C3-74CC-170D-2E796DF101B4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {25E33A61-7703-12D4-934F-6210071F45F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {289E453F-F13E-1FCF-F23D-36033ADA6AF5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {32679D35-DE5A-5428-B52A-70192FDA96CC} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {37F348ED-7CC9-4C99-DFA8-79EA29C95263} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {3C0A75AE-3B99-2913-6948-3B3B38128C47} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {43DF012C-0A11-7406-886C-09703BA2FBB4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {44C39123-7897-4241-40EE-424E7BD53A86} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {521CB3E8-CFF5-0D09-5D1E-6BC105D43A62} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {591B573D-C434-6584-82D0-3E727255FB6C} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5A465085-4701-3BCF-41DD-719C6CEF09AF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5B487ACA-3C02-2D47-5DAC-77A407C5CB74} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5C1FB944-6A8C-7A8E-3A8A-1F601C649B85} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F9634F2-49CC-63DE-2975-5F7D4BFF9E28} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {64A7330B-334A-6245-20F2-34A71F925BD3} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {68F281B2-522F-495F-D958-57C856437BCE} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6AC5A1EF-1B5F-4BBB-11A1-0C5339AFA8F7} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6B231BD6-2ADE-36A5-0C77-220813F87A58} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6DCA4C2A-4C7A-1F25-DE9E-22A36547FD66} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {70A2D654-8E6C-76E7-D1F6-26F866DC584B} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {72D89E1C-B406-7FE2-2CC4-3F7F30777242} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.micro...jects/ocget.dll
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com....at/RSVPChat.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)


Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\dkhs.dll

Exit Explorer, and reboot as normal afterwards.


If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Post back a fresh HijackThis log and we will take another look.
  • 0

#3
smarlow816

smarlow816

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I did what you said to do

Logfile of HijackThis v1.99.1
Scan saved at 4:40:52 AM, on 12/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gu.edu.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111983517993
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CC6D872-6655-4E8A-9094-15A8442422D4}: NameServer = 203.0.178.191
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please download CleanUp!. Don't run it yet.

Please disable winpatrol for now.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab


Run CleanUp! Reboot and post a new log. :tazz:
  • 0

#5
smarlow816

smarlow816

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Its all fixed now I don't have any of those programs coming up now. Thanx for everyones help.
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please post one more log so we can see if you're clean. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP