Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Spyware programs

Started by smarlow816 , May 10 2005 01:48 AM

Please log in to reply

#1
smarlow816

Posted 10 May 2005 - 01:48 AM

New Member

Member
4 posts

I have all these programs on my computer that no matter how many times I delete them they always come back. The names are build3.exe, protect.exe, efvefe.exe, efefe.exe, pro2.exe, and ?ttrib.exe. I have run Adaware, Spybot, and AVG, nothing seems to work. Each time they seem to come back in a different spot.

Here is my HijackThis log file.
Logfile of HijackThis v1.99.1
Scan saved at 5:46:18 PM, on 10/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\B50137176\build3.exe
C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\efvefefe.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\efefe.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\B50137176\build3.exe
C:\Program Files\Opera\opera.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CA312AD-8739-ACE7-1A46-D03870329196} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312A4-874C-D8E3-1A32-DB38703C9190} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312AA-874F-AA91-1A3C-DA38734D91E6} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsm73.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {060D72CF-4C8B-6F07-3514-353D1D3FE9A5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - http://activex.micro...jects/ocget.dll
O16 - DPF: {0A0E2096-0F28-4B51-37F8-092E69DBB3C1} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB4E7D6-E50C-7F4B-C38F-173F2DA41C5D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {137DB2F6-584C-6768-8597-6561645E1BC4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1440AA9A-1909-4767-8602-39BA71976B6F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {16E9137A-C116-0E6D-D5B5-08AB60D1CAAA} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1720CF29-C031-1A76-580C-1419404FF09F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1B314856-E33D-64F3-26E6-310E331A5273} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1EE69867-2942-02A3-22D8-2C8D548CBC5A} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {23034BFC-00C3-74CC-170D-2E796DF101B4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {25E33A61-7703-12D4-934F-6210071F45F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {289E453F-F13E-1FCF-F23D-36033ADA6AF5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {32679D35-DE5A-5428-B52A-70192FDA96CC} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {37F348ED-7CC9-4C99-DFA8-79EA29C95263} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {3C0A75AE-3B99-2913-6948-3B3B38128C47} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {43DF012C-0A11-7406-886C-09703BA2FBB4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {44C39123-7897-4241-40EE-424E7BD53A86} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {521CB3E8-CFF5-0D09-5D1E-6BC105D43A62} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {591B573D-C434-6584-82D0-3E727255FB6C} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5A465085-4701-3BCF-41DD-719C6CEF09AF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5B487ACA-3C02-2D47-5DAC-77A407C5CB74} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5C1FB944-6A8C-7A8E-3A8A-1F601C649B85} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F9634F2-49CC-63DE-2975-5F7D4BFF9E28} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111983517993
O16 - DPF: {64A7330B-334A-6245-20F2-34A71F925BD3} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {68F281B2-522F-495F-D958-57C856437BCE} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6AC5A1EF-1B5F-4BBB-11A1-0C5339AFA8F7} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6B231BD6-2ADE-36A5-0C77-220813F87A58} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6DCA4C2A-4C7A-1F25-DE9E-22A36547FD66} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {70A2D654-8E6C-76E7-D1F6-26F866DC584B} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {72D89E1C-B406-7FE2-2CC4-3F7F30777242} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.micro...jects/ocget.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com....at/RSVPChat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CC6D872-6655-4E8A-9094-15A8442422D4}: NameServer = 203.0.178.191
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#2
coachwife6

Posted 10 May 2005 - 03:39 AM

SuperStar

Retired Staff
11,413 posts

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Please set your system to show
all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\WINDOWS\system32\?ttrib.exe
Exit the Task Manager when finished.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {0CA312AD-8739-ACE7-1A46-D03870329196} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312A4-874C-D8E3-1A32-DB38703C9190} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: (no name) - {0FA312AA-874F-AA91-1A3C-DA38734D91E6} - C:\WINDOWS\system32\dkhs.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\nsm73.dll
O2 - BHO: (no name) - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - (no file)

O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

O16 - DPF: {060D72CF-4C8B-6F07-3514-353D1D3FE9A5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - http://activex.micro...jects/ocget.dll
O16 - DPF: {0A0E2096-0F28-4B51-37F8-092E69DBB3C1} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {0EB4E7D6-E50C-7F4B-C38F-173F2DA41C5D} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {137DB2F6-584C-6768-8597-6561645E1BC4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1440AA9A-1909-4767-8602-39BA71976B6F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {16E9137A-C116-0E6D-D5B5-08AB60D1CAAA} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1720CF29-C031-1A76-580C-1419404FF09F} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1B314856-E33D-64F3-26E6-310E331A5273} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {1EE69867-2942-02A3-22D8-2C8D548CBC5A} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {23034BFC-00C3-74CC-170D-2E796DF101B4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {25E33A61-7703-12D4-934F-6210071F45F5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {289E453F-F13E-1FCF-F23D-36033ADA6AF5} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {32679D35-DE5A-5428-B52A-70192FDA96CC} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {37F348ED-7CC9-4C99-DFA8-79EA29C95263} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {3C0A75AE-3B99-2913-6948-3B3B38128C47} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {43DF012C-0A11-7406-886C-09703BA2FBB4} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {44C39123-7897-4241-40EE-424E7BD53A86} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {521CB3E8-CFF5-0D09-5D1E-6BC105D43A62} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {591B573D-C434-6584-82D0-3E727255FB6C} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5A465085-4701-3BCF-41DD-719C6CEF09AF} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5B487ACA-3C02-2D47-5DAC-77A407C5CB74} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5C1FB944-6A8C-7A8E-3A8A-1F601C649B85} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {5F9634F2-49CC-63DE-2975-5F7D4BFF9E28} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {64A7330B-334A-6245-20F2-34A71F925BD3} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {68F281B2-522F-495F-D958-57C856437BCE} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6AC5A1EF-1B5F-4BBB-11A1-0C5339AFA8F7} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6B231BD6-2ADE-36A5-0C77-220813F87A58} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {6DCA4C2A-4C7A-1F25-DE9E-22A36547FD66} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {70A2D654-8E6C-76E7-D1F6-26F866DC584B} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {72D89E1C-B406-7FE2-2CC4-3F7F30777242} - http://67.19.178.86/1/rdgAU1742.exe
O16 - DPF: {A5DC33CE-214B-4C26-8596-8A45456C9EB8} - http://activex.micro...jects/ocget.dll
O16 - DPF: {FE8400F2-C848-4379-989F-DF2ED39040BE} (Eyeball Instant Messaging Control) - http://www.rsvp.com....at/RSVPChat.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\?ttrib.exe
C:\WINDOWS\system32\dkhs.dll

Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Post back a fresh HijackThis log and we will take another look.

#3
smarlow816

Posted 11 May 2005 - 12:42 PM

New Member

Topic Starter
Member
4 posts

I did what you said to do

Logfile of HijackThis v1.99.1
Scan saved at 4:40:52 AM, on 12/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gu.edu.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111983517993
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4CC6D872-6655-4E8A-9094-15A8442422D4}: NameServer = 203.0.178.191
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4
coachwife6

Posted 12 May 2005 - 02:22 AM

SuperStar

Retired Staff
11,413 posts

Please download CleanUp!. Don't run it yet.

Please disable winpatrol for now.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - Global Startup: Smart Shutdown.lnk = C:\Program Files\Slawdog\Smart Shutdown\Smart Shutdown.exe

O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (GTDownloaderCtrl Class) - http://inst.c-wss.co...ml/gtdownlr.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinn...ool/h2hpool.cab

Run CleanUp! Reboot and post a new log. :tazz: