Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

.frame.crazywinnings

Started by onthegas7 , Dec 19 2004 12:01 PM

  • Please log in to reply

#1
onthegas7
Posted 19 December 2004 - 12:01 PM

onthegas7

    New Member

  • Member
  • Pip
  • 8 posts
Please help me somebody.I am a computer newbie and recently did a lot of damage to my computer.One result of this is I got the .frame.crazywinnings in trusted zones.I have run spybot,adaware runs but freezes after the scan.I will now scan and post results in reply like you said to.Thanks for your time..Steve
  • 0

Advertisements

#2
onthegas7
Posted 19 December 2004 - 12:16 PM

onthegas7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is my hijackthis log.If you have time please let me know of anything that should not Logfile of HijackThis v1.98.2
Scan saved at 1:05:42 PM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msyq.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\PEOPLE~1\propelac.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINDOWS\system32\apius.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Documents and Settings\Owner\My Documents\programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8BC61747-3461-EFEE-D05D-964D875677AB} - C:\WINDOWS\system32\atlmm32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\propelac.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [d3fi.exe] C:\WINDOWS\system32\d3fi.exe
O4 - HKLM\..\Run: [apius.exe] C:\WINDOWS\system32\apius.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunOnce: [msyq.exe] C:\WINDOWS\system32\msyq.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101760766162
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab

be there.Thanks,Steve
  • 0

#3
admin
Posted 20 December 2004 - 12:32 AM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Welcome to GTG Steve. This is a variant of CoolWebSearch that redirects your homepage to about:blank. It also installs a malicious service that prevents it from being fixed. We need to eliminate that service. It's a long fix, but we'll get it.
  • Obtain list of irregular services:
  • Please download ServiceFilter.
  • Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
  • Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
  • If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
  • It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
  • Press Ctrl + A simultaneously to select all of the text.
  • Copy and paste the whole thing into your next post.
  • A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

  • 0

#4
onthegas7
Posted 20 December 2004 - 03:40 PM

onthegas7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is theThe script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Dec 20, 2004 4:34:04 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: CPQALERT
Display Name: Compaq Local Alerter
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\compaq\compaq management agents\cpqalert.exe
State: Running
Process ID: 1008
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: cpqdmi
Display Name: cpqdmi
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqdmi.exe
State: Running
Process ID: 1608
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: cpqWebDmi
Display Name: Compaq DMI Web Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe
State: Running
Process ID: 1044
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 4
Service Name: omniserv
Display Name: Softex OmniPass Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\softex\omnipass\omniserv.exe
State: Running
Process ID: 1152
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #5
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{e7a3d552-d1ee-4dfd-8c00-152351e065be}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 6
Service Name: WIN32SL
Display Name: Win32Sl
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\compaq\compaq management agents\dmi\win32\bin\win32sl.exe
State: Running
Process ID: 1264
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 7
Service Name: %AF夶À¨
Display Name: Network Security Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\addeh32.exe /s
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 85 Win32 services on this machine.
7 were unrecognized.

Script Execution Time: 1.125 seconds.
list you asked for....
  • 0

#5
admin
Posted 20 December 2004 - 04:05 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Prepare AboutBuster for use:
    • Download AboutBuster.
    • Unzip AboutBuster to a convenient folder such as C:\AboutBuster.
    • Run AboutBuster.exe. Click OK, Update, Check For Update. Download the updates if they exist.
    • Click Exit as I do not want you to run the program yet.
  • Prepare cwsserviceremove.reg for use:
  • Print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access
  • the Internet.
  • Reconfigure Windows XP to show hidden files:
    • Click Start. Open My Computer.
    • Select the Tools menu and click Folder Options. Select the View Tab.
    • Under the Hidden files and folders heading select "Show hidden files and folders".
    • Uncheck the "Hide protected operating system files (recommended)" option.
    • Uncheck the "Hide file extensions for known file types" option.
    • Click Yes to confirm. Click OK.
  • Boot into Safe Mode:
    • Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    • To get back to normal mode just restart the computer as you normally would.
  • Stop and disable the offending service:
    • Start | Run | type services.msc | OK
    • Scroll down the list until you find the service called (insert Display Name from the ServiceFilter log here).
    • Double-click on it and under the General tab click Stop to stop the service.
    • Change the Startup Type to Disabled.
    • Click Apply and then OK and close any open windows.
  • End the service process:
    • Press the Ctrl + Alt + Delete keys simultaneously to open the Task Manager.
    • Under the Processes tab find (insert Path from the ServiceFilter log here).
    • Click End Process.
    • File | Exit Task Manager
  • Fix malicious entries with HijackThis v1.98.2:
    • Please close all browsers and windows that you might have open.
    • Open HijackThis and click Scan.
    • Place checkmarks in the boxes next to these entries(if present):
      • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
      • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
      • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
      • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
      • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
      • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
      • R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
      • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
      • R3 - Default URLSearchHook is missing
        vO2 - BHO: (no name) - {8BC61747-3461-EFEE-D05D-964D875677AB} - C:\WINDOWS\system32\atlmm32.dll
      • O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
      • O4 - HKLM\..\Run: [d3fi.exe] C:\WINDOWS\system32\d3fi.exe
      • O4 - HKLM\..\Run: [apius.exe] C:\WINDOWS\system32\apius.exe
      • O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
      • O4 - HKLM\..\RunOnce: [msyq.exe] C:\WINDOWS\system32\msyq.exe
      • O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
      • O15 - Trusted Zone: *.frame.crazywinnings.com
    • Once you have placed a checkmark next to each one of them, click Fix Checked.
  • Please delete these folders using Windows Explorer(if present):
    • C:\WINDOWS\system32\msconfg.exe
    • C:\WINDOWS\system32\d3fi.exe
    • C:\WINDOWS\system32\apius.exe
    • C:\WINDOWS\system32\msconfg.exe
    • C:\WINDOWS\system32\msyq.exe
    • C:\WINDOWS\system32\msconfg.exe
  • Remove the offending service:
    • Network Security Service
    • Double-click the cwsserviceremove.reg file you downloaded at the beginning.
    • Answer Yes when prompted to add the contents to the registry.
  • Run AboutBuster and save the logs:
    • Browse to where you saved AboutBuster and run AboutBuster.exe.
    • Click OK at the directions prompt.
    • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
    • Click Yes to allow it to shutdown explorer.exe.
    • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
    • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
  • Clean out temporary files:
    • Start | Run | type cleanmgr | OK
    • Let it scan your system for files to remove.
    • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
    • Press OK to remove them.
  • Restart your computer normally to return to normal mode.
  • Restore (possibly) deleted files:
    • control.exe - Visit this page.
      • Download the version of control.exe that corresponds to your operating system.
      • If you are running Windows 95, 98, or ME copy it to C:\WINDOWS.
      • If you are running Windows 2000 copy it to C:\WINNT\system32.
      • If you are running Windows XP copy it to C:\WINDOWS\system32.
    • HOSTS - Download the Hoster.
      • Unzip Hoster to a convenient folder such as C:\Hoster.
      • Run Hoster.exe, click Restore Original Hosts and then click OK.
      • Click the X to exit the program.
      • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
    • SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from here and copy it to the default Spybot folder.
      • The normal path is C:\Program Files\Spybot - Search & Destroy.
    • shell.dll - Visit this page.
      • Download the version that corresponds to your operating system.
      • If you are running Windows 98 copy it to C:\WINDOWS\System.
      • If you are running Windows 2000 copy it to C:\WINNT\System32.
      • If you are running Windows XP copy it to C:\WINDOWS\System32.
  • Check ActiveX security settings:
    • In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
    • Download signed ActiveX controls (Prompt)
    • Download unsigned ActiveX controls (Disable)
    • Initialize and script ActiveX controls not marked as safe (Disable)
    • Run ActiveX controls and plug-ins (Enabled)
    • Script ActiveX controls marked safe for scripting (Prompt)
  • Run an online virus scan:
  • Prepare your reply:
    • Please post a fresh HijackThis log
    • Please post the AboutBuster log.
    • Please note any complications you had.

  • 0

#6
onthegas7
Posted 20 December 2004 - 07:22 PM

onthegas7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank You for all the help.I have a question before I start.In step 7.....insert display name from the servicefilter log here....I am not sure which one to add.The same for step 8 insert path from the servicefilter log here.SORRY for being such a big time newbie.I think I can do everything if I get this figured out.Thanks again for all the time and help you are giving me...Steve
  • 0

#7
admin
Posted 20 December 2004 - 07:37 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Sorry. :tazz: I was supposed to fill those in. Thanks for asking.

Insert: Network Security Service for "(insert Display Name from the ServiceFilter log here)"

Insert: C:\windows\addeh32.exe for "(insert Path from the ServiceFilter log here)"
  • 0

#8
onthegas7
Posted 21 December 2004 - 06:20 PM

onthegas7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I did as you said with the following problems...step 7 Network security service was already stopped,I did click to disable it.Step 8 c:\windows\addeh32.exe was not listed under processes tab.Step 15 control.exe & shell.dll didnt work.A window said they may already be there.Step 17 TrendMicro scan didnt work.window said security settings may prevent page displaying properly.All sites I visit are still listed as trusted sites although none are listed there.Here is my new hijackthis and about buster logs....Steve Logfile of HijackThis v1.98.2
Scan saved at 7:01:50 PM, on 12/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\PEOPLE~1\propelac.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\system32\adddd.exe
C:\WINDOWS\system32\javacd.exe
C:\Documents and Settings\Owner\My Documents\programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\edqdl.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8BC61747-3461-EFEE-D05D-964D875677AB} - C:\WINDOWS\system32\atlmm32.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\propelac.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [javacd.exe] C:\WINDOWS\system32\javacd.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101760766162
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab

Scanned at: 6:24:03 PM on: 12/21/2004


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 20


Removed Data Streams:
C:\WINDOWS\comsetup.log:nefpu
C:\WINDOWS\ipox32.exe:djnst
C:\WINDOWS\KB828028.log:vnanr
C:\WINDOWS\msdfmap.ini:xdeou
C:\WINDOWS\NOTEPAD.EXE:iwphq
C:\WINDOWS\q329256.log:zddhq
C:\WINDOWS\Q329834.log:renms
C:\WINDOWS\Q814033.log:axlfq
C:\WINDOWS\Q817287.log:tywks
C:\WINDOWS\REGLOCS.OLD:wzhdo
C:\WINDOWS\vmmreg32.dll:lkcme


Removed 2 Random Key Entries
Removed! : C:\WINDOWS\apjdf.dll
Removed! : C:\WINDOWS\bdqkd.dat
Removed! : C:\WINDOWS\brmun.dat
Removed! : C:\WINDOWS\fewha.dll
Removed! : C:\WINDOWS\neqcu.dll
Removed! : C:\WINDOWS\nsksd.dat
Removed! : C:\WINDOWS\wcyky.dll
Removed! : C:\WINDOWS\System32\efvmx.dat
Removed! : C:\WINDOWS\System32\iepvo.dat
Removed! : C:\WINDOWS\System32\islna.dll
Removed! : C:\WINDOWS\System32\mzwug.dll
Removed! : C:\WINDOWS\System32\oriqe.dll
Removed! : C:\WINDOWS\System32\yiuiu.dll
Removed! : C:\WINDOWS\System32\ymyrv.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 20


Removed Data Streams:
C:\WINDOWS\comsetup.log:nefpu
C:\WINDOWS\ipox32.exe:djnst
C:\WINDOWS\KB828028.log:vnanr
C:\WINDOWS\msdfmap.ini:xdeou
C:\WINDOWS\NOTEPAD.EXE:iwphq
C:\WINDOWS\q329256.log:zddhq
C:\WINDOWS\Q329834.log:renms
C:\WINDOWS\Q814033.log:axlfq
C:\WINDOWS\Q817287.log:tywks
C:\WINDOWS\REGLOCS.OLD:wzhdo
C:\WINDOWS\vmmreg32.dll:lkcme


Attempted Clean Of Temp folder.
Pages Reset... Done!
  • 0

#9
onthegas7
Posted 23 December 2004 - 04:26 PM

onthegas7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Since the last instructions I have done the following...reinstalled servicepack2 from disk.This solved the problem of every website showing the trustedsite icon at bottom of page,now I get the Internet icon.Problems...when I run Adaware se it scans and shows results but continues to freeze when I try to remove the results.Norton full system scan never finds anything.Windows automatic updates will not work nor does going to the update website,it loads page and then does nothing.Spybot shows DSO Exploit with 5 entries that shows up every scan although it says problems are fixed.I hope this info can help you with the above logs.Thank You Steve
  • 0

#10
admin
Posted 23 December 2004 - 05:36 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
Let's start by looking at a new HijackThis log. :tazz:
  • 0

#11
onthegas7
Posted 23 December 2004 - 07:19 PM

onthegas7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is my neLogfile of HijackThis v1.98.2
Scan saved at 8:16:58 PM, on 12/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\system32\adddd.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\PROGRA~1\PEOPLE~1\propelac.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\javacd.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Documents and Settings\Owner\My Documents\programs\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oeaik.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oeaik.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oeaik.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oeaik.dll/sp.html#12802
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oeaik.dll/sp.html#12802
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oeaik.dll/sp.html#12802
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D75899FB-CB87-FC4D-A477-72074618F72C} - C:\WINDOWS\system32\javaxc32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\propelac.exe"
O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\System32\PPCRunOnce.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [javacd.exe] C:\WINDOWS\system32\javacd.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1101760766162
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab

w log
  • 0

#12
admin
Posted 23 December 2004 - 10:21 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
  • Obtain list of irregular services:
  • Please download ServiceFilter.
  • Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
  • Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
  • If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
  • It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
  • Press Ctrl + A simultaneously to select all of the text.
  • Copy and paste the whole thing into your next post.
  • A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.

  • 0

#13
onthegas7
Posted 24 December 2004 - 03:07 PM

onthegas7

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 2
Dec 24, 2004 4:06:32 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: CPQALERT
Display Name: Compaq Local Alerter
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\compaq\compaq management agents\cpqalert.exe
State: Running
Process ID: 1036
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 2
Service Name: cpqdmi
Display Name: cpqdmi
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqdmi.exe
State: Running
Process ID: 1516
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service # 3
Service Name: cpqWebDmi
Display Name: Compaq DMI Web Agent
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\compaq\compaq~1\cpqweb~1\webdmi.exe
State: Running
Process ID: 1052
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

---> End Service Listing <---

There are 43 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 1.578125 seconds.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP