Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware maybe taking over bandwidth [resolved]

Started by PimpY , Dec 14 2004 06:26 AM

  • Please log in to reply

#1
PimpY
Posted 14 December 2004 - 06:26 AM

PimpY

    Member

  • Member
  • PipPip
  • 12 posts
i recently formatted my computer. After reinstalling xp i logged back on net, however as soon as i logged back on net i found myself constantly uploading. This effected my overall internet speed, i have not yet updated SP2 since the bandwidth is constantly used up windowsupdate cannot really download anything to my computer. I think this may be a caused by some sort of spyware though im still a noob and dont know much about these things pls help. thx

here is my log
Logfile of HijackThis v1.98.2
Scan saved at 11:16:23 PM, on 12/14/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ssmr.exe
C:\WINDOWS\System32\cosine.exe
C:\WINDOWS\System32\mssupdate.exe
E:\soft\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\Run: [WinSecured32] ssmr.exe
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [WinSecured32] ssmr.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102935240607
  • 0

Advertisements

#2
Metallica
Posted 14 December 2004 - 07:02 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Hi PimpY,

Could you surf to this site:
http://www.kaspersky.com/scanforvirus

and have these files checked:
C:\WINDOWS\System32\ssmr.exe
C:\WINDOWS\System32\cosine.exe
C:\WINDOWS\System32\mssupdate.exe

Let me know the results, but they all look like trojans to me.

Regards,

Pieter
  • 0

#3
PimpY
Posted 14 December 2004 - 07:34 AM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hi pieter thx for looking at my post, the web pages are getting extremely slow to load up and its taking forever to load a page (bout 3 minutes) im on adsl 256. and recently this gayporn site has been popping up everytime i connect to the internet. and it often has illegal operation. i rescanned using ad aware and spybot, however nothing came up, this is my new log

Logfile of HijackThis v1.98.2
Scan saved at 12:00:26 AM, on 12/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\mssupdate.exe
C:\WINDOWS\System32\ssmr.exe
C:\WINDOWS\System32\cosine.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
E:\soft\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinSecured32] ssmr.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [WinSecured32] ssmr.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102935240607

im also scanning the files u told me with the link u provided me though it mite take sometime due to the slow net speed i'll give u the results asap thx again
  • 0

#4
PimpY
Posted 14 December 2004 - 08:02 AM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Pieter hi again
the files u told me to scan wasnt very successful :tazz: , the results dont load up, i think it mite be cause of the slow internet speed i have. i'll try to get some results at work tomorrow, i checked these files in my system32 under (show hidden files folders) but they dont seem to be there. any suggestions at all? thx
  • 0

#5
Metallica
Posted 14 December 2004 - 08:03 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Assuming I am right. :tazz:
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [WinSecured32] ssmr.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [WinSecured32] ssmr.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe

Reboot after doing so, preferably Reboot into safe mode
and delete:
C:\Program Files\Windows ControlAd <= entire folder

We will postpone the rest of the deleting until we know what it is.
But doing this should bring you back to speed.

Regards,

Pieter
  • 0

#6
PimpY
Posted 14 December 2004 - 09:17 AM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Pieter its me again :tazz:
i did exactly what u asked though i wasnt able to find
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
and couldnt find the folder C:\Program files\Windows ControlAd
The speed seem to be better though its still uploading and downloading but i was able to find out about the files u told me to search earlier

Scanned file: mssupdate.exe

mssupdate.exe - packed with PE_Patch.Morphine mssupdate.exe - packed with Morphine mssupdate.exe - packed with PE_Patch mssupdate.exe - packed with MewBundle mssupdate.exe - packed with MEW mssupdate.exe - infected by Backdoor.Win32.Rbot.gen

Scanned file: cosine.exe

cosine.exe - packed with PE-Diminisher cosine.exe - infected by Backdoor.Win32.Rbot.gen

Scanned file: ssmr.exe

ssmr.exe - packed with PE_Patch.Morphine ssmr.exe - packed with Morphine ssmr.exe - packed with UPX ssmr.exe - infected by Backdoor.Win32.Rbot.gen
i also scanned again with Hijack this
this is the news log

Logfile of HijackThis v1.98.2
Scan saved at 1:57:45 AM, on 12/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\cosine.exe
C:\WINDOWS\System32\mssupdate.exe
E:\soft\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102935240607
  • 0

#7
Metallica
Posted 14 December 2004 - 09:23 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job sofar. :tazz:

This one will have to be don the other way round.

Reboot into safe mode and delete:

C:\WINDOWS\System32\cosine.exe
C:\WINDOWS\System32\mssupdate.exe

Then run HijackThis and check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe

O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe

Then boot normally and let us know how it goes.

Regards,

Pieter
  • 0

#8
PimpY
Posted 14 December 2004 - 09:41 AM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hey Pieter
i didnt run hijack this cause i couldnt find cosine.exe and mssupdate.exe in the system32 folder, however i searched for both files and found em
cosine.exe - 2D7DF68B.pf and MSSUPDATE.EXE - 1EG23F4E both in c:\windows\prefetch
should i dele em?

PimpY
  • 0

#9
Metallica
Posted 14 December 2004 - 09:47 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
If you can not find them they may be a hidden file(s).
To "unhide" hidden files and folders:
Launch My Computer from the Desktop Icon.
Select View, Details.
Select the Folders button.
Select Tools, Folder Options. Then select the View Tab. Select the Show hidden files and folders radio button is selected
and that the Hide file extensions for known file types check box is unchecked. Once this is done, select Apply and then
Like Current Folder (located near the top of the Folder Options box). Then select OK.

The ones in the prefetch folder can go to, but they are harmless by themselves.

Regards,

Pieter
  • 0

#10
PimpY
Posted 14 December 2004 - 10:13 AM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Errrrm..... :tazz: still no luck im starting to panic lol my options were already to view hidden files but they still arent there
  • 0

Advertisements

#11
PimpY
Posted 14 December 2004 - 10:18 AM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Soz Pieter i just found em
i just unclicked "hide protected operating system files" and they showed up should i dele em?
  • 0

#12
Metallica
Posted 14 December 2004 - 10:19 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
No need to panic. :tazz:

Download Killbox from here:
http://www.geekstogo...ction=show&id=4

Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
C:\WINDOWS\System32\ssmr.exe
C:\WINDOWS\System32\cosine.exe
C:\WINDOWS\System32\mssupdate.exe

After the reboot post a new HijackThis log.

Regards,

Pieter
  • 0

#13
PimpY
Posted 14 December 2004 - 10:44 AM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Pieter
ok i done the the steps here is the new log

Logfile of HijackThis v1.98.2
Scan saved at 3:41:44 AM, on 12/15/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
E:\soft\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1102935240607

cosine and mssupdate seems still there should i manually remove the exe files in safe mode?
  • 0

#14
Metallica
Posted 14 December 2004 - 01:19 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Yay, they are no longer running. :tazz:

Clean out the leftovers and you should be roaring to go.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [cosine] cosine.exe
O4 - HKLM\..\Run: [Start Uppings] mssupdate.exe
O4 - HKLM\..\RunServices: [cosine] cosine.exe
O4 - HKLM\..\RunServices: [Start Uppings] mssupdate.exe

O4 - HKCU\..\Run: [cosine] cosine.exe
O4 - HKCU\..\Run: [Start Uppings] mssupdate.exe
O4 - HKCU\..\RunServices: [Start Uppings] mssupdate.exe

Then reboot. This time they should stay away.

Regards,

Pieter
  • 0

#15
PimpY
Posted 14 December 2004 - 05:59 PM

PimpY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Pieter i installed SP2 over the night since bandwidth has gotten better. And it seems net speed has recovered thx a bunch :tazz: for your help. here is the final log i scanned after final adjustments, thx again

PimpY
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP