Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware/Adware/whatever it is

Started by davistad44 , May 24 2005 12:29 PM

  • Please log in to reply

#1
davistad44
Posted 24 May 2005 - 12:29 PM

davistad44

    Member

  • Member
  • PipPip
  • 13 posts
I've run Spybot S&D numerous times, as well as Microsoft Antispyware. Spybot continues to detect and "fix" Elitum.Elitebar, yet the problems continue. Every so often, I am attacked by IE pop-ups at the rate of about 30/minute. I've also had some program called Ceres pop up. I stopped using IE and started using Mozilla Firefox, yet IE pop-up windows continue.

Logfile of HijackThis v1.99.1
Scan saved at 1:23:48 PM, on 05/24/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\TEMP\NR7909.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINNT\system\hrnw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\OFFICE2K\PFiles\MSOffice\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\unzipped\hijackthis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iqexpress.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iqexpress.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACS Desktop Solutions, Inc.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsf26C2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RSync] C:\WINNT\system32\netsync.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: ACS Custom Settings.LNK = C:\BUILD\SETTINGS.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://64.79.164.25:...va/cfs40320.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: Domain = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: NameServer = 137.18.128.33,143.231.249.194
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = house.gov
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
  • 0

Advertisements

#2
meeeeeeeeee
Posted 31 May 2005 - 08:13 AM

meeeeeeeeee

    Visiting Staff

  • Member
  • PipPipPip
  • 172 posts
Hello there!

I'm sorry you've had such a long wait. If you still need help please post a fresh HijackThis log to this thread & I'll be right with you.

:tazz:
  • 0

#3
davistad44
Posted 31 May 2005 - 08:18 AM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:19:49 AM, on 05/31/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\TEMP\UW6C0.EXE
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINNT\system\hrnw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\OFFICE2K\PFiles\MSOffice\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iqexpress.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iqexpress.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACS Desktop Solutions, Inc.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.180.173.39 www.google.ae www.google.am www.google.as www.google.at www.google.az www.google.be www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca www.google.cd www.google.cg www.google.ch www.google.ci www.google.cl www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu www.google.co.il www.google.co.in www.google.co.je www.google.co.jp www.google.co.ke www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls www.google.co.nz www.google.co.th www.google.co.ug www.google.co.uk www.google.co.ve www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag www.google.com.ar www.google.com.au www.google.com.br www.google.com.co www.google.com.cu www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec www.google.com.fj www.google.com.gi www.google.com.gr www.google.com.gt www.google.com.hk www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt www.google.com.mx www.google.com.my www.google.com.na www.google.com.nf www.google.com.ni www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa www.google.com.pe www.google.com.ph www.google.com.pk www.google.com.pr www.google.com.py www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg www.google.com.sv www.google.com.tr www.google.com.tw www.google.com.ua www.google.com.uy www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn www.google.de www.google.dj www.google.dk www.google.es www.google.fi www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr www.google.gg www.google.gl www.google.gm www.google.hn www.google.ie www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz www.google.li www.google.lt www.google.lu www.google.lv www.google.mn www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu www.google.mw www.google.nl www.google.no www.google.off.ai www.google.pl www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt www.google.ro www.google.ru www.google.rw www.google.se www.google.sh www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm www.google.td www.google.tm www.google.tt www.google.uz www.google.vg google.ae
O1 - Hosts: 66.180.173.39 google.am google.as google.at google.az google.be google.bi google.ca
O1 - Hosts: 66.180.173.39 google.cd google.cg google.ch google.ci google.cl google.co.cr google.co.hu
O1 - Hosts: 66.180.173.39 google.co.il google.co.in google.co.je google.co.jp google.co.ke google.co.kr google.co.ls
O1 - Hosts: 66.180.173.39 google.co.nz google.co.th google.co.ug google.co.uk google.co.ve google.com google.com.ag
O1 - Hosts: 66.180.173.39 google.com.ar google.com.au google.com.br google.com.co google.com.cu google.com.do google.com.ec
O1 - Hosts: 66.180.173.39 google.com.fj google.com.gi google.com.gr google.com.gt google.com.hk google.com.ly google.com.mt
O1 - Hosts: 66.180.173.39 google.com.mx google.com.my google.com.na google.com.nf google.com.ni google.com.np google.com.pa
O1 - Hosts: 66.180.173.39 google.com.pe google.com.ph google.com.pk google.com.pr google.com.py google.com.sa google.com.sg
O1 - Hosts: 66.180.173.39 google.com.sv google.com.tr google.com.tw google.com.ua google.com.uy google.com.vc google.com.vn
O1 - Hosts: 66.180.173.39 google.de google.dj google.dk google.es google.fi google.fm google.fr
O1 - Hosts: 66.180.173.39 google.gg google.gl google.gm google.hn google.ie google.it google.kz
O1 - Hosts: 66.180.173.39 google.li google.lt google.lu google.lv google.mn google.ms google.mu
O1 - Hosts: 66.180.173.39 google.mw google.nl google.no google.off.ai google.pl google.pn google.pt
O1 - Hosts: 66.180.173.39 google.ro google.ru google.rw google.se google.sh google.sk google.sm
O1 - Hosts: 66.180.173.39 google.td google.tm google.tt google.uz google.vg search.yahoo.com ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 br.search.yahoo.com ca.search.yahoo.com cf.search.yahoo.com mx.search.yahoo.com espanol.search.yahoo.com au.search.yahoo.com ct.search.yahoo.com
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com de.search.yahoo.com it.search.yahoo.com uk.search.yahoo.com search.msn.com search.msn.at search.sympatico.msn.ca
O1 - Hosts: 66.180.173.39 search.msn.co.za search.ninemsn.com.au search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi
O1 - Hosts: 66.180.173.39 search.msn.fr search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
O1 - Hosts: 66.180.173.39 search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com beta.search.msn.com beta.search.msn.at
O1 - Hosts: 66.180.173.39 beta.search.sympatico.msn.ca beta.search.msn.co.za beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be beta.search.msn.dk
O1 - Hosts: 66.180.173.39 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O1 - Hosts: 66.180.173.39 beta.search.msn.se beta.search.msn.ch beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com www.alexa.com alexa.com
O1 - Hosts: 66.180.173.39 www.google.ae www.google.am www.google.as www.google.at www.google.az www.google.be www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca www.google.cd www.google.cg www.google.ch www.google.ci www.google.cl www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu www.google.co.il www.google.co.in www.google.co.je www.google.co.jp www.google.co.ke www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls www.google.co.nz www.google.co.th www.google.co.ug www.google.co.uk www.google.co.ve www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag www.google.com.ar www.google.com.au www.google.com.br www.google.com.co www.google.com.cu www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec www.google.com.fj www.google.com.gi www.google.com.gr www.google.com.gt www.google.com.hk www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt www.google.com.mx www.google.com.my www.google.com.na www.google.com.nf www.google.com.ni www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa www.google.com.pe www.google.com.ph www.google.com.pk www.google.com.pr www.google.com.py www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg www.google.com.sv www.google.com.tr www.google.com.tw www.google.com.ua www.google.com.uy www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn www.google.de www.google.dj www.google.dk www.google.es www.google.fi www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr www.google.gg www.google.gl www.google.gm www.google.hn www.google.ie www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz www.google.li www.google.lt www.google.lu www.google.lv www.google.mn www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu www.google.mw www.google.nl www.google.no www.google.off.ai www.google.pl www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt www.google.ro www.google.ru www.google.rw www.google.se www.google.sh www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm www.google.td www.google.tm www.google.tt www.google.uz www.google.vg google.ae
O1 - Hosts: 66.180.173.39 google.am google.as google.at google.az google.be google.bi google.ca
O1 - Hosts: 66.180.173.39 google.cd google.cg google.ch google.ci google.cl google.co.cr google.co.hu
O1 - Hosts: 66.180.173.39 google.co.il google.co.in google.co.je google.co.jp google.co.ke google.co.kr google.co.ls
O1 - Hosts: 66.180.173.39 google.co.nz google.co.th google.co.ug google.co.uk google.co.ve google.com google.com.ag
O1 - Hosts: 66.180.173.39 google.com.ar google.com.au google.com.br google.com.co google.com.cu google.com.do google.com.ec
O1 - Hosts: 66.180.173.39 google.com.fj google.com.gi google.com.gr google.com.gt google.com.hk google.com.ly google.com.mt
O1 - Hosts: 66.180.173.39 google.com.mx google.com.my google.com.na google.com.nf google.com.ni google.com.np google.com.pa
O1 - Hosts: 66.180.173.39 google.com.pe google.com.ph google.com.pk google.com.pr google.com.py google.com.sa google.com.sg
O1 - Hosts: 66.180.173.39 google.com.sv google.com.tr google.com.tw google.com.ua google.com.uy google.com.vc google.com.vn
O1 - Hosts: 66.180.173.39 google.de google.dj google.dk google.es google.fi google.fm google.fr
O1 - Hosts: 66.180.173.39 google.gg google.gl google.gm google.hn google.ie google.it google.kz
O1 - Hosts: 66.180.173.39 google.li google.lt google.lu google.lv google.mn google.ms google.mu
O1 - Hosts: 66.180.173.39 google.mw google.nl google.no google.off.ai google.pl google.pn google.pt
O1 - Hosts: 66.180.173.39 google.ro google.ru google.rw google.se google.sh google.sk google.sm
O1 - Hosts: 66.180.173.39 google.td google.tm google.tt google.uz google.vg search.yahoo.com ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 br.search.yahoo.com ca.search.yahoo.com cf.search.yahoo.com mx.search.yahoo.com espanol.search.yahoo.com au.search.yahoo.com ct.search.yahoo.com
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com de.search.yahoo.com it.search.yahoo.com uk.search.yahoo.com search.msn.com search.msn.at search.sympatico.msn.ca
O1 - Hosts: 66.180.173.39 search.msn.co.za search.ninemsn.com.au search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi
O1 - Hosts: 66.180.173.39 search.msn.fr search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
O1 - Hosts: 66.180.173.39 search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com beta.search.msn.com beta.search.msn.at
O1 - Hosts: 66.180.173.39 beta.search.sympatico.msn.ca beta.search.msn.co.za beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be beta.search.msn.dk
O1 - Hosts: 66.180.173.39 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O1 - Hosts: 66.180.173.39 beta.search.msn.se beta.search.msn.ch beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com www.alexa.com alexa.com
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsf26C2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RSync] C:\WINNT\system32\netsync.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: ACS Custom Settings.LNK = C:\BUILD\SETTINGS.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://64.79.164.25:...va/cfs40320.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: Domain = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: NameServer = 137.18.128.33,143.231.249.194
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = house.gov
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
  • 0

#4
meeeeeeeeee
Posted 31 May 2005 - 08:56 AM

meeeeeeeeee

    Visiting Staff

  • Member
  • PipPipPip
  • 172 posts
Well that's one interesting log. Let's get to it!

Let's make sure all hidden files are visible. Use this link for information on how to do this: http://www.xtra.co.n...1916458,00.html

Please go to Add/Remove programs and uninstall the following if found:

Windows AFA Internet Enhancement



Please select the following with HijackThis. With all windows (including this one!) closed, please select "fix.”


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.180.173.39 www.google.ae www.google.am www.google.as www.google.at www.google.az www.google.be www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca www.google.cd www.google.cg www.google.ch www.google.ci www.google.cl www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu www.google.co.il www.google.co.in www.google.co.je www.google.co.jp www.google.co.ke www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls www.google.co.nz www.google.co.th www.google.co.ug www.google.co.uk www.google.co.ve www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag www.google.com.ar www.google.com.au www.google.com.br www.google.com.co www.google.com.cu www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec www.google.com.fj www.google.com.gi www.google.com.gr www.google.com.gt www.google.com.hk www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt www.google.com.mx www.google.com.my www.google.com.na www.google.com.nf www.google.com.ni www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa www.google.com.pe www.google.com.ph www.google.com.pk www.google.com.pr www.google.com.py www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg www.google.com.sv www.google.com.tr www.google.com.tw www.google.com.ua www.google.com.uy www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn www.google.de www.google.dj www.google.dk www.google.es www.google.fi www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr www.google.gg www.google.gl www.google.gm www.google.hn www.google.ie www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz www.google.li www.google.lt www.google.lu www.google.lv www.google.mn www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu www.google.mw www.google.nl www.google.no www.google.off.ai www.google.pl www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt www.google.ro www.google.ru www.google.rw www.google.se www.google.sh www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm www.google.td www.google.tm www.google.tt www.google.uz www.google.vg google.ae
O1 - Hosts: 66.180.173.39 google.am google.as google.at google.az google.be google.bi google.ca
O1 - Hosts: 66.180.173.39 google.cd google.cg google.ch google.ci google.cl google.co.cr google.co.hu
O1 - Hosts: 66.180.173.39 google.co.il google.co.in google.co.je google.co.jp google.co.ke google.co.kr google.co.ls
O1 - Hosts: 66.180.173.39 google.co.nz google.co.th google.co.ug google.co.uk google.co.ve google.com google.com.ag
O1 - Hosts: 66.180.173.39 google.com.ar google.com.au google.com.br google.com.co google.com.cu google.com.do google.com.ec
O1 - Hosts: 66.180.173.39 google.com.fj google.com.gi google.com.gr google.com.gt google.com.hk google.com.ly google.com.mt
O1 - Hosts: 66.180.173.39 google.com.mx google.com.my google.com.na google.com.nf google.com.ni google.com.np google.com.pa
O1 - Hosts: 66.180.173.39 google.com.pe google.com.ph google.com.pk google.com.pr google.com.py google.com.sa google.com.sg
O1 - Hosts: 66.180.173.39 google.com.sv google.com.tr google.com.tw google.com.ua google.com.uy google.com.vc google.com.vn
O1 - Hosts: 66.180.173.39 google.de google.dj google.dk google.es google.fi google.fm google.fr
O1 - Hosts: 66.180.173.39 google.gg google.gl google.gm google.hn google.ie google.it google.kz
O1 - Hosts: 66.180.173.39 google.li google.lt google.lu google.lv google.mn google.ms google.mu
O1 - Hosts: 66.180.173.39 google.mw google.nl google.no google.off.ai google.pl google.pn google.pt
O1 - Hosts: 66.180.173.39 google.ro google.ru google.rw google.se google.sh google.sk google.sm
O1 - Hosts: 66.180.173.39 google.td google.tm google.tt google.uz google.vg search.yahoo.com ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 br.search.yahoo.com ca.search.yahoo.com cf.search.yahoo.com mx.search.yahoo.com espanol.search.yahoo.com au.search.yahoo.com ct.search.yahoo.com
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com de.search.yahoo.com it.search.yahoo.com uk.search.yahoo.com search.msn.com search.msn.at search.sympatico.msn.ca
O1 - Hosts: 66.180.173.39 search.msn.co.za search.ninemsn.com.au search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi
O1 - Hosts: 66.180.173.39 search.msn.fr search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
O1 - Hosts: 66.180.173.39 search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com beta.search.msn.com beta.search.msn.at
O1 - Hosts: 66.180.173.39 beta.search.sympatico.msn.ca beta.search.msn.co.za beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be beta.search.msn.dk
O1 - Hosts: 66.180.173.39 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O1 - Hosts: 66.180.173.39 beta.search.msn.se beta.search.msn.ch beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com www.alexa.com alexa.com
O1 - Hosts: 66.180.173.39 www.google.ae www.google.am www.google.as www.google.at www.google.az www.google.be www.google.bi
O1 - Hosts: 66.180.173.39 www.google.ca www.google.cd www.google.cg www.google.ch www.google.ci www.google.cl www.google.co.cr
O1 - Hosts: 66.180.173.39 www.google.co.hu www.google.co.il www.google.co.in www.google.co.je www.google.co.jp www.google.co.ke www.google.co.kr
O1 - Hosts: 66.180.173.39 www.google.co.ls www.google.co.nz www.google.co.th www.google.co.ug www.google.co.uk www.google.co.ve www.google.com
O1 - Hosts: 66.180.173.39 www.google.com.ag www.google.com.ar www.google.com.au www.google.com.br www.google.com.co www.google.com.cu www.google.com.do
O1 - Hosts: 66.180.173.39 www.google.com.ec www.google.com.fj www.google.com.gi www.google.com.gr www.google.com.gt www.google.com.hk www.google.com.ly
O1 - Hosts: 66.180.173.39 www.google.com.mt www.google.com.mx www.google.com.my www.google.com.na www.google.com.nf www.google.com.ni www.google.com.np
O1 - Hosts: 66.180.173.39 www.google.com.pa www.google.com.pe www.google.com.ph www.google.com.pk www.google.com.pr www.google.com.py www.google.com.sa
O1 - Hosts: 66.180.173.39 www.google.com.sg www.google.com.sv www.google.com.tr www.google.com.tw www.google.com.ua www.google.com.uy www.google.com.vc
O1 - Hosts: 66.180.173.39 www.google.com.vn www.google.de www.google.dj www.google.dk www.google.es www.google.fi www.google.fm
O1 - Hosts: 66.180.173.39 www.google.fr www.google.gg www.google.gl www.google.gm www.google.hn www.google.ie www.google.it
O1 - Hosts: 66.180.173.39 www.google.kz www.google.li www.google.lt www.google.lu www.google.lv www.google.mn www.google.ms
O1 - Hosts: 66.180.173.39 www.google.mu www.google.mw www.google.nl www.google.no www.google.off.ai www.google.pl www.google.pn
O1 - Hosts: 66.180.173.39 www.google.pt www.google.ro www.google.ru www.google.rw www.google.se www.google.sh www.google.sk
O1 - Hosts: 66.180.173.39 www.google.sm www.google.td www.google.tm www.google.tt www.google.uz www.google.vg google.ae
O1 - Hosts: 66.180.173.39 google.am google.as google.at google.az google.be google.bi google.ca
O1 - Hosts: 66.180.173.39 google.cd google.cg google.ch google.ci google.cl google.co.cr google.co.hu
O1 - Hosts: 66.180.173.39 google.co.il google.co.in google.co.je google.co.jp google.co.ke google.co.kr google.co.ls
O1 - Hosts: 66.180.173.39 google.co.nz google.co.th google.co.ug google.co.uk google.co.ve google.com google.com.ag
O1 - Hosts: 66.180.173.39 google.com.ar google.com.au google.com.br google.com.co google.com.cu google.com.do google.com.ec
O1 - Hosts: 66.180.173.39 google.com.fj google.com.gi google.com.gr google.com.gt google.com.hk google.com.ly google.com.mt
O1 - Hosts: 66.180.173.39 google.com.mx google.com.my google.com.na google.com.nf google.com.ni google.com.np google.com.pa
O1 - Hosts: 66.180.173.39 google.com.pe google.com.ph google.com.pk google.com.pr google.com.py google.com.sa google.com.sg
O1 - Hosts: 66.180.173.39 google.com.sv google.com.tr google.com.tw google.com.ua google.com.uy google.com.vc google.com.vn
O1 - Hosts: 66.180.173.39 google.de google.dj google.dk google.es google.fi google.fm google.fr
O1 - Hosts: 66.180.173.39 google.gg google.gl google.gm google.hn google.ie google.it google.kz
O1 - Hosts: 66.180.173.39 google.li google.lt google.lu google.lv google.mn google.ms google.mu
O1 - Hosts: 66.180.173.39 google.mw google.nl google.no google.off.ai google.pl google.pn google.pt
O1 - Hosts: 66.180.173.39 google.ro google.ru google.rw google.se google.sh google.sk google.sm
O1 - Hosts: 66.180.173.39 google.td google.tm google.tt google.uz google.vg search.yahoo.com ar.search.yahoo.com
O1 - Hosts: 66.180.173.39 br.search.yahoo.com ca.search.yahoo.com cf.search.yahoo.com mx.search.yahoo.com espanol.search.yahoo.com au.search.yahoo.com ct.search.yahoo.com
O1 - Hosts: 66.180.173.39 fr.search.yahoo.com de.search.yahoo.com it.search.yahoo.com uk.search.yahoo.com search.msn.com search.msn.at search.sympatico.msn.ca
O1 - Hosts: 66.180.173.39 search.msn.co.za search.ninemsn.com.au search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi
O1 - Hosts: 66.180.173.39 search.msn.fr search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
O1 - Hosts: 66.180.173.39 search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com beta.search.msn.com beta.search.msn.at
O1 - Hosts: 66.180.173.39 beta.search.sympatico.msn.ca beta.search.msn.co.za beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be beta.search.msn.dk
O1 - Hosts: 66.180.173.39 beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it beta.search.msn.nl beta.search.msn.no beta.search.msn.es
O1 - Hosts: 66.180.173.39 beta.search.msn.se beta.search.msn.ch beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com www.alexa.com alexa.com
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINNT\system32\rsyncmon.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\system32\nsf26C2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [RSync] C:\WINNT\system32\netsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present





Then find and delete the following:

C:\WINNT\system32\netsync.exe << This file
C:\WINNT\VCMnet11.exe << This file
C:\WINNT\cfgmgr52.dll << This file


Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

Then reboot and post a fresh HijackThis log. Also, I would like to see a SilentRunners log. Follow the instructions here: http://www.silentrun..._scriptuse.html


:tazz:
  • 0

#5
davistad44
Posted 31 May 2005 - 12:35 PM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I'm not finished yet, but I searched for cfgmgr52.dll and couldn't find anything. I founf a folder called cfgmgr52 and also found a file called cfgmgr52.ini
  • 0

#6
davistad44
Posted 31 May 2005 - 12:43 PM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
New HJT Log...

Logfile of HijackThis v1.99.1
Scan saved at 1:43:29 PM, on 05/31/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\TEMP\RWF03E.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iqexpress.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iqexpress.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACS Desktop Solutions, Inc.
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: ACS Custom Settings.LNK = C:\BUILD\SETTINGS.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://64.79.164.25:...va/cfs40320.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: Domain = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: NameServer = 137.18.128.33,143.231.249.194
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = house.gov
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
  • 0

#7
davistad44
Posted 31 May 2005 - 12:48 PM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
"Silent Runners.vbs", revision 37, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"AIM" = "C:\PROGRA~1\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"TLogonPath" = ""C:\Program Files\Timbuktu Pro\tb2logon.exe"" ["Netopia, Inc."]
"OfficeScanNT Monitor" = ""C:\OfficeScan NT\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Scansoft, Inc."]
"PaperPort PTD" = "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"IndexSearch" = "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"OpwareSE2" = ""C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" ["ScanSoft, Inc."]
"WeirdOnTheWeb" = ""C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"" [null data]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\OFFICE2K\PFiles\MSOffice\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\OFFICE2K\PFiles\MSOffice\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{AF4F7471-FCFB-11d0-80B6-0080C838D5F9}" = "OfficeScan NT"
-> {CLSID}\InProcServer32\(Default) = "C:\OfficeScan NT\tmdshell.dll" ["Trend Micro Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\edavis\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"
  • 0

#8
meeeeeeeeee
Posted 31 May 2005 - 02:18 PM

meeeeeeeeee

    Visiting Staff

  • Member
  • PipPipPip
  • 172 posts
Your logs look great! How's it acting?
  • 0

#9
davistad44
Posted 31 May 2005 - 02:24 PM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
no problems so far...what is weird on the web? i've been trying to delete it as well, but it won't let me.
  • 0

#10
meeeeeeeeee
Posted 31 May 2005 - 02:37 PM

meeeeeeeeee

    Visiting Staff

  • Member
  • PipPipPip
  • 172 posts
I haven't seen anything to verify that it's bad, but if you didn't put it there then it should go. Let's do this:

1) Try to remove this via Add/Remove programs.

2) If that doesn't work then let's get rid of its files. Locate C:\Program Files\WeirdOnTheWeb\ and delete it. You may have the best success doing this from safe mode

3) Fix the following line with HijackThis:O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"

4) Reboot & post a fresh HJT log & let me know how it went. There are sterner measures we can take if need be.

:tazz:

Edited by meeeeeeeeee, 31 May 2005 - 02:38 PM.

  • 0

Advertisements

#11
davistad44
Posted 31 May 2005 - 03:02 PM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It worked using HJT. I'd tried your first two suggestions before. After using HJT, it came right off. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 4:02:43 PM, on 05/31/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\TEMP\KFB801.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iqexpress.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iqexpress.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACS Desktop Solutions, Inc.
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: ACS Custom Settings.LNK = C:\BUILD\SETTINGS.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://64.79.164.25:...va/cfs40320.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: Domain = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: NameServer = 137.18.128.33,143.231.249.194
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = house.gov
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
  • 0

#12
meeeeeeeeee
Posted 31 May 2005 - 03:11 PM

meeeeeeeeee

    Visiting Staff

  • Member
  • PipPipPip
  • 172 posts
I see something runnning from the temp files again. Let's run CCleaner one more time then reboot & post a fresh log.
  • 0

#13
davistad44
Posted 31 May 2005 - 03:23 PM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:24:16 PM, on 05/31/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\OfficeScan NT\ntrtscan.exe
C:\OfficeScan NT\OfcPfwSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\OfficeScan NT\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\TEMP\BFDEB5.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\OfficeScan NT\pccntmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://iqexpress.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://iqexpress.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ACS Desktop Solutions, Inc.
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: ACS Custom Settings.LNK = C:\BUILD\SETTINGS.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com
O15 - Trusted Zone: http://*.iqexpress.com (HKLM)
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://64.79.164.25:...va/cfs40320.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: Domain = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\..\{712D5ED8-2F92-40F7-9CE2-55B827D4F2CD}: NameServer = 137.18.128.33,143.231.249.194
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = house.gov
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = house.gov
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
  • 0

#14
meeeeeeeeee
Posted 31 May 2005 - 05:23 PM

meeeeeeeeee

    Visiting Staff

  • Member
  • PipPipPip
  • 172 posts
There's still something running from the temp files. There shouldn't be, in most cases.

Please run this pc through the Panda Scan Online virus scanner. Save the log it gives you and post it here. Let's see what that finds.

:tazz:
  • 0

#15
davistad44
Posted 01 June 2005 - 09:57 AM

davistad44

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I'm not at the infected computer today...I'll take care of it tomorrow. Thanks for your help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP