Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

http://www.searchforit.com/searchbar


  • Please log in to reply

#1
jackio

jackio

    New Member

  • Member
  • Pip
  • 1 posts
Help!!! My mom-in-law's computer is a nightmare. She evidently didn't know NOT to to click on everything that popped up in front of her. Anyway, I tried to get through most of what was asked before posting but there is so much spyware on this thing, I can't get done with some of it. Here is the HJT log. Can you help me? Thanks!!!




Logfile of HijackThis v1.99.1
Scan saved at 9:30:46 PM, on 6/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\fxssvc.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4serv.exe
C:\WINNT\System32\ltcm000c.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\WINNT\System32\sky.exe
C:\sory.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\SBInst.exe
C:\WINNT\System32\msxct.exe
C:\WINNT\System32\exp.exe
C:\WINNT\System32\wintask.exe
C:\WINNT\System32\RUNDLL32.exe
C:\program files\tvs\tvs_b.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINNT\System32\umppkk.exe
C:\WINNT\System32\dpwtray.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\nsvsvc\nsvsvc.exe
C:\WINNT\System32\picsvr\picsvr.exe
C:\WINNT\system\ijskk.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ebah\shac.exe
C:\WINNT\System32\j?vaw.exe
C:\WINNT\sfita.exe
C:\PROGRA~1\COMMON~1\uqfo\uqfom.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
C:\PROGRA~1\COMMON~1\uqfo\uqfoa.exe
C:\WINNT\System32\beta.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spyware Removal Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchforit.com/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchforit.com/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\M
ain,Search Page = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchforit.com/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchforit.com/searchbar
O2 - BHO: Replace Search Ctl - {832BEBED-C3DA-4534-A2C2-B2FFF220C820} - C:\WINNT\System32\replaceSearch.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\System32\stlb2.dll
O3 - Toolbar: searchforit - {C109664B-CEB1-420b-B353-D55A561536DD} - C:\WINNT\System32\SYSsfitb.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [\\Villani-ivadx0x\EPSON Stylus C84 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P41 "\\Villani-ivadx0x\EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [Auto EPSON Stylus C84 Series on Villani-ivadx0x] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P47 "Auto EPSON Stylus C84 Series on Villani-ivadx0x" /O25 "\\VILLANI-IVADX0X\Printer" /M "Stylus C84"
O4 - HKLM\..\Run: [WINDOWS SKY] sky.exe
O4 - HKLM\..\Run: [REGRUN] C:\sory.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbWeatherOnTray.exe
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\SBInst.exe
O4 - HKLM\..\Run: [sxyfcxxz] C:\WINNT\System32\eklteabp.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINNT\System32\gah95on6.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [PS1] C:\WINNT\System32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\System32\wintask.exe
O4 - HKLM\..\Run: [vrnwwe] c:\winnt\system32\vrnwwe.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [FlaCPY] "C:\Program Files\Common Files\Java\flacpy.exe"
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteart32.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\umppkk.exe reg_run
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [regsync] C:\WINNT\System32\regsync.exe
O4 - HKLM\..\Run: [o23U36T] dpwtray.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [tsvcin] C:\WINNT\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINNT\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [WINDOWS SYSTEM] beta.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [WINDOWS SKY] sky.exe
O4 - HKLM\..\RunServices: [WINDOWS SYSTEM] beta.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lmbt] C:\Program Files\ebah\shac.exe
O4 - HKCU\..\Run: [Frbcy] C:\WINNT\System32\j?vaw.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINNT\sfita.exe
O4 - HKCU\..\Run: [usrsen] C:\WINNT\System32\usrsen.exe
O4 - HKCU\..\Run: [uqfo] C:\PROGRA~1\COMMON~1\uqfo\uqfom.exe
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Belkin 802.11g Wireless Card Utility.lnk = C:\Program Files\Belkin\Belkin 802.11g Wireless Card Configuration Utility\utility.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c5.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0035.exe
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spam...ckerutility.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia...ll/pcs_0026.exe
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spys...rCabInstall.cab
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\j64olgh3164.dll
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Do you still need help?

Could you send me a copy of this file please?
C:\WINDOWS\SYSTEM\REPLACESEARCH.DLL

I am researching that one and found your log when I did a forum search.

Please send it (preferably zipped) to pieterATwilderssecurity.org (replace AT with @)

And post a current HijackThis log.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP