Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

yoursearcher got me!


  • Please log in to reply

#1
knihc2008

knihc2008

    Member

  • Member
  • PipPip
  • 25 posts
hi guys. i can't seem to shake this yoursearcher thing even after ad-aware, pestpatrol and reading some couple threads about it. <_< help please? i read the pinups and i have no idea what to do with the hijackthis logs... i'll just put it here for now and admins tell me if it's in the wrong place or something. thanks a LOT!

Logfile of HijackThis v1.97.7
Scan saved at 6:44:21 PM, on 11/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\192399.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\getdns.exe
D:\Program Files\Kazaa Lite K++\KazaaLite.kpp
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WG511WLU] D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ivgasbu] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [nyjyojn] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gmyliij] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [vwxsoqp] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [cpfjuhy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [doegysc] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [qmvykuo] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [aipsajo] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [ywredqg] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [bqjlrot] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gqwjkao] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [mbrheuu] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [fivgfdy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [pvjjeix] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [snbuoov] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [qooddwy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [maxuwfj] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gmioepi] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [xwtrtcn] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [logdejm] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [rexlghy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [kmmjvkx] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [woncrjp] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [kllpyia] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [svyjlqc] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [fivaaxe] c:\windows\xadvfci.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 192399.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v.../xb_include.htm
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupd...7899.6889583333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Welcome to Geeks to Go. You have a number of randomonly named files on your system. We like to start with an online virus and trojan scan. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/

And a free trojan scan here:
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.
  • 0

#3
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Logfile of HijackThis v1.97.7
Scan saved at 12:34:00 AM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
D:\Program Files\The Cleaner\tca.exe
C:\Program Files\Apoint\Apntex.exe
D:\Program Files\The Cleaner\tcm.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\windows\twfilka.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\192399.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Chan\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WG511WLU] D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ivgasbu] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [nyjyojn] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gmyliij] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [vwxsoqp] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [cpfjuhy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [doegysc] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [qmvykuo] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [aipsajo] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [ywredqg] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [bqjlrot] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gqwjkao] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [mbrheuu] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [fivgfdy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [pvjjeix] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [snbuoov] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [qooddwy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [maxuwfj] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gmioepi] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [xwtrtcn] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [logdejm] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [rexlghy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [kmmjvkx] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [woncrjp] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [kllpyia] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [svyjlqc] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [itpvpwc] c:\windows\wfhfypk.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: 192399.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v.../xb_include.htm
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupd...7899.6889583333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

doesn't seem too different to me tho i spent about four or five hours having those two progs scan my compy. they did find about seven or eight trojans, etc, though. hopefully you can work with this?

thanks again.
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://your-searcher.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://your-searcher.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://your-searcher.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKCU\..\Run: [ivgasbu] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [nyjyojn] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gmyliij] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [vwxsoqp] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [cpfjuhy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [doegysc] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [qmvykuo] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [aipsajo] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [ywredqg] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [bqjlrot] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gqwjkao] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [mbrheuu] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [fivgfdy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [pvjjeix] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [snbuoov] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [qooddwy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [maxuwfj] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [gmioepi] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [xwtrtcn] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [logdejm] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [rexlghy] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [kmmjvkx] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [woncrjp] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [kllpyia] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [svyjlqc] c:\windows\lwenbho.exe
O4 - HKCU\..\Run: [itpvpwc] c:\windows\wfhfypk.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: 192399.exe
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v.../xb_include.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
O4 - HKLM\..\Run: [fash] C:\WINDOWS\fash.exe
O4 - HKCU\..\Run: [itpvpwc] c:\windows\wfhfypk.exe
O4 - Global Startup: C:\WINDOWS\System32\192399.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

Reboot your PC.

If you would please, download the latest version of HijackThis using the link in my signature, post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#5
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
by god, it's gone! *tears stream down face*

"O15: trusted zone" doesn't want to budge. <_<

Logfile of HijackThis v1.98.2
Scan saved at 4:31:50 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
D:\Program Files\The Cleaner\tca.exe
D:\Program Files\The Cleaner\tcm.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Chan\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WG511WLU] D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#6
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
also, i'm getting the same popups as i did before. its weird because even when my computer is offline, the popups still come up, just with the pop-up ad unloaded.
  • 0

#7
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it).

Download Lavasoft's VX2 Cleaner plug-in here
http://www.lavasoftu...x2cleaner.shtml

How to use Lavasoft's VX2 Cleaner plug-in

- Close Ad-Aware 6 and Ad-Watch (if running)
- Download the free VX2 Cleaner at http://updates.ls-se...lvx2cleaner.exe
- Install the VX2 Cleaner
- Start Ad-Aware 6
- Go to "Plug-ins"
- Select the VX2 Cleaner plug-in and click "Run Plugin"
- If your computer isn't infected, click "Close".


If your computer is infected

- Select "Clean system"
- Reboot your computer
- Scan your computer with Ad-Aware
- Remove any VX2 objects detected
- Reboot your computer again
- Run a second scan to make sure the files have been removed from your computer

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#8
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
VX2 said i have a clean system, but i'm still getting random popups even when my system is offline. here's the log again.

Logfile of HijackThis v1.97.7
Scan saved at 11:25:27 PM, on 12/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Apoint\Apntex.exe
D:\Program Files\The Cleaner\tca.exe
D:\Program Files\The Cleaner\tcm.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\odcfg.exe
C:\WINDOWS\System32\getdns.exe
C:\Documents and Settings\Chan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WG511WLU] D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupd...7899.6889583333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

<_<
  • 0

#9
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Click Here to download TheKillbox. Extract TheKillBox.exe from the zip file and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

C:\WINDOWS\System32\odcfg.exe
C:\WINDOWS\System32\getdns.exe


Click 'Exit' when done.

Note: If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run: http://www.javacools...ngfilesetup.exe. Then try TheKillbox again.
  • 0

#10
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
it says "file can not be deleted" even after downloading and running the second program for both programs. do i have to be offline for this or anything? am i missing something?

thanks for your time
  • 0

Advertisements


#11
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
This is a new one that we are still working out a complete automatic fix for so at the moment each fix is specially crafted for each individual hijack, because of that we need some information about your computer. That needs a special file run to get the info

Because it is a delicate process and needs an expert interpretation to prevent problems please don't try this yourself unless you are absolutely sure you know what you are doing

please download & Unzip Ms4Hd_look to a folder - double click on the runme.bat and it should produce a look.log file

post the look.log file back and the other log files it makes here including the err.log so we know what we are dealing with

http://www.thespykil...files/ms4hd.zip
  • 0

#12
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
maybe these logs mean more to you than me; they don't seem to have too much info <_<

the look.log file:

An Ms4Hd_look by IMM (v0.003)
Version Info: 5.1000 = Windows XP Home Ed. SP1 (Build 2600)
The volume containing the system directory is C: (FAT32)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
Error: Unable to open key (Return Code was 2)

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
(1 subkey(s) and 11 values) last modified 00:15 2/12/2004 (UTC)
[IgfxTray] "C:\WINDOWS\System32\igfxtray.exe" (SZ)
[Apoint] "C:\Program Files\Apoint\Apoint.exe" (SZ)
[QuickTime Task] "C:\WINDOWS\system32\qttask.exe" (SZ)
[EPSON Stylus C84 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"" (SZ)
[TkBellExe] ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" (SZ)
[EPSON Stylus C84 Series (Copy 1)] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84"" (SZ)
[DeadAIM] "rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs" (SZ)
[WG511WLU] "D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe" (SZ)
[clfmon.exe] "clfmon.exe" (SZ)
[tcactive] "D:\Program Files\The Cleaner\tca.exe" (SZ)
[tcmonitor] "D:\Program Files\The Cleaner\tcm.exe" (SZ)

the err. file:

NtQuerySystemInformation (Entry at 8625B0) restored to 77F5BF08
NtEnumerateValueKey (Entry at 862430) restored to 77F5B8C8
NtEnumerateKey (Entry at 8622C0) restored to 77F5B8A8
NtQueryDirectoryFile (Entry at 862630) restored to 77F5BD48
LdrLoadDll (Entry at 862180) restored to 77F56F1B
NtResumeThread (Entry at 862090) restored to 77F5C118

thanks for your time!
  • 0

#13
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Download this reg file please and save it to desktop: http://www.thespykil...Removems4hd.reg

Run this reg file. Make sure IE and OE and all other windows are closed before running it. It will remove some reg values and keys that are causing the problem (run it by double clicking).

You should get a warning that it will merge to the registry or similar. Say yes to the prompt. You should then get a message saying file successfully merged with registry.

Finally, check your favorites folder as this pest puts a lot of unwanted links in there as well and they need manually deleting.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#14
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
my compy seems to be working faster; i haven't gotten any pop ups but then again i did just turn on my compy and usually the popups come up at maybe 5-10-minute intervals.

Logfile of HijackThis v1.97.7
Scan saved at 12:47:40 PM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
D:\Program Files\The Cleaner\tca.exe
D:\Program Files\The Cleaner\tcm.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Chan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.sony.com/vaiopeople
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C84 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P32 "EPSON Stylus C84 Series (Copy 1)" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [WG511WLU] D:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [tcactive] D:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Cisco Systems VPN Client.lnk = D:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - ftp://ftp.ca.com/pub/Opal/plugins/x_plugin/opalplayerx5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupd...7899.6889583333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab

thank you again. admin, you are my god <_<
  • 0

#15
knihc2008

knihc2008

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
word of note: the same pop ups are still attacking me. the "O-15 Trusted Zone" you had told me to fix earlier still wont' budge and is still there; maybe that's doign the job?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP