Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HijackThis Log: I need help! [RESOLVED]

Started by facbaugh , Oct 13 2005 05:07 PM

  • This topic is locked This topic is locked

#1
facbaugh
Posted 13 October 2005 - 05:07 PM

facbaugh

    Member

  • Member
  • PipPip
  • 10 posts
Here's my new Hijack This log. I can't tell anything from it. I know you look at these all the time, but I am hoping you can find the time to help me.


Thank you!


Logfile of HijackThis v1.99.1
Scan saved at 7:13:19 PM, on 10/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\ODHOST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\WLUSBCFG.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape...srchdft-E.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Motorola Wireless USB Adapter.lnk = C:\Program Files\Motorola Wireless\WU830G USB Adapter\Startup.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PPInstaller.exe
  • 0

Advertisements

#2
Buckeye_Sam
Posted 13 October 2005 - 05:24 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {65E598C9-9541-40E7-8F89-C2048435C9E1} - C:\WINDOWS\SYSTEM\WLDR.DLL (file missing) (HKCU)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {78A730D4-0DF3-4B65-8DD2-BFCD433CEE30} - http://www.surfsecre...PPInstaller.exe


Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#3
facbaugh
Posted 19 October 2005 - 07:00 PM

facbaugh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sam,

Thank you for your response. I have been sick and have not checked my replies until today.
I did as you instructed on Hijack This and I ran the Active Scan you suggested. Here are the results of
that scan:


Incident Status Location

Adware:adware/virmaid No disinfected C:\WINDOWS\SYSTEM\perfcii.ini
Adware:adware/sidestep No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe026.dll
Adware:adware/cws No disinfected C:\WINDOWS\Favorites\ONLINE GAMBLING\Online Gambling.url
Adware:adware/popuper No disinfected C:\WINDOWS\Favorites\Black Jack Online.url
Spyware:spyware/new.net No disinfected C:\WINDOWS\newdotnet3_36.dll
Adware:adware/antivirus-gold No disinfected C:\WINDOWS\screen.html
Adware:adware/downloadware No disinfected C:\WINDOWS\TEMP\Adware
Adware:adware/windowenhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils
Spyware:spyware/altnet No disinfected C:\WINDOWS\TEMP\Adware
Spyware:spyware/clipgenie No disinfected Windows Registry
Adware:Adware/WindowEnhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Adware:Adware/CWS No disinfected C:\WINDOWS\SYSTEM\ole32vbs.exe
Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\ccu\comet.cab[csbho.dll]
Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\ccu\csbho.dll
Adware:Adware/DownloadWare No disinfected C:\WINDOWS\TEMP\Adware\WebInstall.exe
Adware:Adware/Medload No disinfected C:\WINDOWS\TEMP\remF283.TMP
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\newdotnet3_36.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Reboot.F Disinfected C:\HP\bin\Rebooter.exe
Virus:Trj/Reboot.F Disinfected C:\_RESTORE\TEMP\A0153415.CPY
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117924.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117925.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117929.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117931.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117933.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117935.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117953.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117959.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117961.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117965.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117967.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117971.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117985.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0118003.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0118005.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS623.CAB[A0150363.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS624.CAB[W0164585.CPY]
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\ARCHIVE\FS552.CAB[A0118316.CPY]
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\ARCHIVE\FS552.CAB[A0118327.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS570.CAB[A0128277.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS572.CAB[W0139917.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS585.CAB[A0136827.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS585.CAB[A0136828.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS582.CAB[A0135774.CPY]
Virus:Trj/Downloader.CXO No disinfected C:\_RESTORE\ARCHIVE\FS582.CAB[A0135775.CPY]
Adware:Adware/Gogotools No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137112.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137115.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137129.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137147.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137205.CPY]
Adware:Adware/DownloadWare No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137209.CPY]
Adware:Adware/BlueScreenWarningNo disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137211.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137215.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137217.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137219.CPY]
Adware:Adware/BlueScreenWarningNo disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137221.CPY]
Adware:Adware/DownloadWare No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137223.CPY]
Adware:Adware/Medload No disinfected C:\_RESTORE\ARCHIVE\FS588.CAB[A0137343.CPY]
Virus:Trj/Spyre.B No disinfected C:\_RESTORE\ARCHIVE\FS637.CAB[A0152048.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS637.CAB[A0152063.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS637.CAB[A0152125.CPY]
Adware:Adware/TheLocalSearch No disinfected C:\Program Files\Virtual Maid\Virtual Maid.dll
Please tell me if there is something I can do about these problems.

Thank you.
  • 0

#4
facbaugh
Posted 19 October 2005 - 08:32 PM

facbaugh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sam,

Here is my latest HijackThis scan done just before I did the other Scan program.

Logfile of HijackThis v1.99.1
Scan saved at 10:28:26 PM, on 10/19/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\ODHOST.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\WLUSBCFG.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape...srchdft-E.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Motorola Wireless USB Adapter.lnk = C:\Program Files\Motorola Wireless\WU830G USB Adapter\Startup.EXE
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
  • 0

#5
facbaugh
Posted 19 October 2005 - 08:33 PM

facbaugh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Sam,

Here is my latest HijackThis scan done just before I did the Active Scan program.

Logfile of HijackThis v1.99.1
Scan saved at 10:28:26 PM, on 10/19/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\ODHOST.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\WLUSBCFG.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape...srchdft-E.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Motorola Wireless USB Adapter.lnk = C:\Program Files\Motorola Wireless\WU830G USB Adapter\Startup.EXE
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
  • 0

#6
Buckeye_Sam
Posted 20 October 2005 - 03:23 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download SmitRem.zip
  • Save the file to your desktop.
  • Right click on the file and extract it to it's own folder on the desktop.


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.



Once in Safe mode, follow these steps:
  • Open the smitRem folder, then double click the RunThis.bat file to start the tool.
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  • The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Post the log file from Smitrem as well as a new hijackthis log.
  • 0

#7
facbaugh
Posted 20 October 2005 - 07:49 PM

facbaugh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ok Sam. I did all that you told me and here is the newest HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 9:30:43 PM, on 10/20/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape...srchdft-E.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Motorola Wireless USB Adapter.lnk = C:\Program Files\Motorola Wireless\WU830G USB Adapter\Startup.EXE
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
  • 0

#8
Buckeye_Sam
Posted 21 October 2005 - 06:31 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please delete everything from within this folder, but not the folder itself.

C:\WINDOWS\TEMP


Run a new scan with Panda and save the log.

Please post the log from SmitRem. It should be located at C:smitfiles.txt
Also post the log from Panda and a new hijackthis log.
  • 0

#9
facbaugh
Posted 23 October 2005 - 06:46 PM

facbaugh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Okay Sam. Here are the HijackThis and Activescan logs. No log was saved for the Smitrem on my computer. I did not see it so I did a search for it and still nothing.


Activescan Log

Incident Status Location

Adware:Adware/Need2Find No disinfected C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
Spyware:Spyware/Altnet No disinfected C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM\P2P NETWORKING\MARSHAL.DLL
Spyware:spyware/altnet No disinfected C:\PROGRAM FILES\KAZAA\TopSearch.dll
Adware:adware/p2pnetworking No disinfected C:\WINDOWS\SYSTEM\P2P Networking v126.cpl
Adware:adware/sidestep No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\SbCIe026.dll
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys
Spyware:spyware/new.net No disinfected C:\WINDOWS\newdotnet3_36.dll
Spyware:spyware/rxtoolbar No disinfected C:\PROGRAM FILES\RXToolBar
Adware:adware/instafinder No disinfected C:\PROGRAM FILES\INSTAFINK
Adware:adware/need2find No disinfected C:\PROGRAM FILES\Need2Find
Adware:adware/windowenhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM\AdCache
Spyware:spyware/clipgenie No disinfected Windows Registry
Adware:Adware/WindowEnhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM\P2P Networking\MARSHAL.DLL
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM\P2P Networking\P2P Networking.exe
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM\P2P Networking v126.cpl
Adware:Adware/SideStep No disinfected C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\newdotnet3_36.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Adware:Adware/InstaFinder No disinfected C:\Recycled\Dc6\InstaFinderK_inst.exe
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc7\Setup.exe
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc7\adm25.dll
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc7\admdata.dll
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc7\admdloader.dll
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc7\admfdi.dll
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc17.cab
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc17.cab[asm.exe]
Spyware:Spyware/Altnet No disinfected C:\Recycled\Dc17.cab[asmps.dll]
Adware:Adware/P2PNetworking No disinfected C:\Recycled\Dc122.exe
Adware:Adware/TheLocalSearch No disinfected C:\_RESTORE\TEMP\A0154695.CPY
Adware:Adware/CWS No disinfected C:\_RESTORE\TEMP\A0154700.CPY
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117924.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117925.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117929.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117931.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117933.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117935.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117953.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117959.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117961.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117965.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117967.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117971.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0117985.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0118003.CPY]
Adware:Adware/BrilliantDigitalNo disinfected C:\_RESTORE\ARCHIVE\FS549.CAB[A0118005.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS623.CAB[A0150363.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS624.CAB[W0164585.CPY]
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\ARCHIVE\FS552.CAB[A0118316.CPY]
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\ARCHIVE\FS552.CAB[A0118327.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS570.CAB[A0128277.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS572.CAB[W0139917.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS585.CAB[A0136827.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS585.CAB[A0136828.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS582.CAB[A0135774.CPY]
Virus:Trj/Downloader.CXO No disinfected C:\_RESTORE\ARCHIVE\FS582.CAB[A0135775.CPY]
Adware:Adware/Gogotools No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137112.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137115.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137129.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137147.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137205.CPY]
Adware:Adware/DownloadWare No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137209.CPY]
Adware:Adware/BlueScreenWarningNo disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137211.CPY]
Spyware:Spyware/New.net No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137215.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137217.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137219.CPY]
Adware:Adware/BlueScreenWarningNo disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137221.CPY]
Adware:Adware/DownloadWare No disinfected C:\_RESTORE\ARCHIVE\FS586.CAB[A0137223.CPY]
Adware:Adware/Medload No disinfected C:\_RESTORE\ARCHIVE\FS588.CAB[A0137343.CPY]
Virus:Trj/Reboot.F No disinfected C:\_RESTORE\ARCHIVE\FS643.CAB[A0153415.CPY]
Virus:Trj/Spyre.B No disinfected C:\_RESTORE\ARCHIVE\FS637.CAB[A0152048.CPY]
Adware:Adware/Popuper No disinfected C:\_RESTORE\ARCHIVE\FS637.CAB[A0152063.CPY]
Dialer:Dialer.CBF No disinfected C:\_RESTORE\ARCHIVE\FS637.CAB[A0152125.CPY]
Spyware:Spyware/Altnet No disinfected C:\Program Files\KaZaA\TopSearch.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\asm.exe
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\asmps.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\admdloader.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\admdata.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\admfdi.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\adm25.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\adm4005.exe
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\adm4.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\admprog.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\asmend.exe
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Download Manager\altnetuninstall.exe
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Points Manager\sysdetect.dll
Spyware:Spyware/Altnet No disinfected C:\Program Files\Altnet\Points Manager\Points Manager.exe
Adware:Adware/InstaFinder No disinfected C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
Adware:Adware/Need2Find No disinfected C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL
Adware:Adware/Need2Find No disinfected C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
Adware:Adware/Need2Find No disinfected C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL



Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:33:09 PM, on 10/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\ODHOST.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\WLUSBCFG.EXE
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape...srchdft-E.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\PROGRAM FILES\RXTOOLBAR\RXTOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [Panda_cleaner_139535] C:\WINDOWS\SYSTEM\ACTIVESCAN\pavdr.exe 139535
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [TBON] C:\PROGRAM FILES\TBONBIN\TBON.EXE /r
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Motorola Wireless USB Adapter.lnk = C:\Program Files\Motorola Wireless\WU830G USB Adapter\Startup.EXE
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
  • 0

#10
Buckeye_Sam
Posted 23 October 2005 - 07:00 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's Ok. I'm not seeing any signs of Smitfraud in your log anyway.


Please download and install Cleanup 4.0

Now run CleanUp
IMPORTANT!
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp


Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
    O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\PROGRAM FILES\NEED2FIND\BAR\1.BIN\ND2FNBAR.DLL
    O3 - Toolbar: RX Toolbar - {25D8BACF-3DE2-4B48-AE22-D659B8D835B0} - C:\PROGRAM FILES\RXTOOLBAR\RXTOOLBAR.DLL
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
    O4 - HKCU\..\Run: [TBON] C:\PROGRAM FILES\TBONBIN\TBON.EXE /r
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL



  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\PROGRAM FILES\NEED2FIND <-- delete this folder
    C:\PROGRAM FILES\ALTNET <-- delete this folder
    C:\PROGRAM FILES\RXToolBar <-- delete this folder
    C:\PROGRAM FILES\INSTAFINK <-- delete this folder
    C:\PROGRAM FILES\Need2Find <-- delete this folder
    C:\WINDOWS\SYSTEM\SBUtils <-- delete this folder
    C:\WINDOWS\SYSTEM\AdCache <-- delete this folder
    C:\WINDOWS\SYSTEM\P2P NETWORKING <-- delete this folder
    C:\PROGRAM FILES\KAZAA\TopSearch.dll
    C:\WINDOWS\SYSTEM\P2P Networking v126.cpl
    C:\WINDOWS\smdat32m.sys
    C:\WINDOWS\newdotnet3_36.dll
    C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
    C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll

Reboot your computer to go back to normal mode and post a new log.
  • 0

#11
facbaugh
Posted 23 October 2005 - 09:40 PM

facbaugh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hey Sam. Here's the last Hijackthis log I did (after all of the changes you suggested).

Logfile of HijackThis v1.99.1
Scan saved at 11:38:30 PM, on 10/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\ODHOST.EXE
C:\PROGRAM FILES\MOTOROLA WIRELESS\WU830G USB ADAPTER\WLUSBCFG.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape...srchdft-E.html"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\Intuit\QAgent\QAGENT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: Motorola Wireless USB Adapter.lnk = C:\Program Files\Motorola Wireless\WU830G USB Adapter\Startup.EXE
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
  • 0

#12
Buckeye_Sam
Posted 24 October 2005 - 02:37 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
One more that I missed. Please fix this line with Hijackthis.

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


How are things working for you now? Any lingering problems?
  • 0

#13
facbaugh
Posted 25 October 2005 - 06:15 PM

facbaugh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Nope, no lingering probs. Thank you so very much for all of your help. My system seems okay for now. I just hope it stays that way.

Thank you again!
  • 0

#14
Buckeye_Sam
Posted 25 October 2005 - 07:46 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Awesome! :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :woot:
  • 0

#15
Buckeye_Sam
Posted 08 November 2005 - 05:08 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP