Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack log - Stubburn Ad Pop ups


  • Please log in to reply

#1
Brion

Brion

    Member

  • Member
  • PipPip
  • 13 posts
It seems to all start with Second Thought... and went downhill from there - then DMVlite - (i used their uninstaller - a mistake?)
followed the suggestions to use all the tools - have done so
(Though I am confused on the Spybot product - does it help the ie leak or hurt it?)
Anyway. I appreciate the assistance. Brion

(Also, an aside, i think i have a bunch of files that my machine does not use anymore - would love to clear the registry of them.)


Logfile of HijackThis v1.99.0
Scan saved at 11:49:58 AM, on 1/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
c:\jetNT\jsdaemon.exe
C:\WINNT\system32\msupd5.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\windows\bundles\adl_mteststub.exe
C:\WINNT\system32\zxas.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Documents and Settings\brion.PC-BRION\Application Data\ushe.exe
C:\WINNT\system32\n?pdb.exe
C:\WINNT\system32\cfspolcy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\jetNT\DLLCMD32.EXE
C:\jetNT\JETSTAT.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\jetNT\JSFMAN.EXE
C:\Palm\HOTSYNC.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seniorjobshop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft IE
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - C:\WINNT\system32\ihdbuqa.dll
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - C:\WINNT\system32\luwdryjq.dll
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - C:\WINNT\system32\lxxubwro.dll
O2 - BHO: SDWin32 Class - {B60175F9-3220-40A9-8F55-7977F988E1E1} - C:\WINNT\system32\tkblk.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [zxas] C:\WINNT\system32\zxas.exe
O4 - HKLM\..\Run: [AutoLoadersF5q1NNSXMaX] "C:\WINNT\system32\cmcclu.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [ChoiceMail] C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
O4 - HKCU\..\Run: [Aatt] C:\Documents and Settings\brion.PC-BRION\Application Data\ushe.exe
O4 - HKCU\..\Run: [Xgal] C:\WINNT\system32\n?pdb.exe
O4 - HKCU\..\Run: [dB56RTc6g] cfspolcy.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: DllCmd32.lnk = C:\jetNT\DLLCMD32.EXE
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetNT\JETSTAT.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} (RyzeAddrCtrl Class) - http://www.ryze.com/RyzeAddr.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/webpub/mapgui...r5/mgaxctrl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: Domain = simplex.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: NameServer = 207.247.82.121,207.247.82.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{49991DB5-A28D-465D-9577-39C7A34B046E}: NameServer = 207.247.82.121,207.247.82.122,207.155.184.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.cadence.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetNT\jsdaemon.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You have a number of randomonly named files on your system. We like to start with an online virus and trojan scan. Even though you have antivirus software on your system, it can become corrupted by malware.

Please run a free online virus scan here (tick the "Auto Clean" checkbox): Needs to be run with Internet Explorer.
http://housecall.antivirus.com/

And a free trojan scan here: (you will have to download the 30 day trial of "The Cleaner" here)
http://www.moosoft.com/

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.

-=jonnyrotten=- :tazz:
  • 0

#3
Brion

Brion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
It is 11:11pm pst - i have run the antivirus and am now running the cleaner -
lots of stuff happening -
I am hoping the log will be ready in the next 30 minutes.... Brion
  • 0

#4
Brion

Brion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK.. took longer than it said it would...

I rebooted and spybot just told me that VMSS.exe and WSXSVC.exe were running on my computer - wanted me to do a full scan.. at this point, I said no...

Also, the Clean came on warning me that these are in my RUN file....

===============
3 sections here:
1 = cleaner log
2= my notes on what happend while cleaning
3=hijack log
=================
I am going to sleep now : -)
Thanks for everything. Brion



FIRST HERE is the log from The Cleaner:

Filename Trojan Action
-------- ------ ------
c:\documents and settings\brion.pc-brion\application data\ushe.exe Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\wsftp_options.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\antiviru.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\archives.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\games.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\hardware.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\ipswitch.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\original.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\software.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\usgovern.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\ipswitch\ws_ftp\sites\ws_ftp.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\lavasoft\ad-aware\description.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\signatures\brion.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\signatures\cadence address.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\signatures\goclaudia.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\signatures\hr decline.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\signatures\jr. sorry.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\signatures\sjs.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\signatures\untitled.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\stationery\sjs1.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\microsoft\stationery\untitled.htm Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\mozilla\profiles\default\061dpt6c.slt\bookmarks.html Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\viz.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\channels\channels.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\channels\main.html Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\devices\cdr_help.html Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\formats\encoders.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\formats\fldrscan.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\formats\formats.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\getmedia\getmedia.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\getmedia\main.html Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\ak30.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\cn05.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\default.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\devices.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\df44.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\encoding.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\il54.ini Purityscan Quarantined
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\importwizard.ini Purityscan Quarantined
c:\temp\leaktest.exe Gibson Research Leaktest Quarantined

=====================================

SECOND: Some notes on what happend while cleaning:
1)
when the antivirus program found this it tried to delete the following file, but said it could not. it was listed as a "trojan loader"
C\winnt\system32\cfspolcy.exe

2)
When I ran the Cleaner - several times a temp directory was trying to be created, i kept clicking "no"

then the Cleaner warned me that my "run" file had changed - looking at the expected vs. actual - it was the same thing - just in a different order

Then i noticed the cfspolcy.exe file in this "run" file

HKCU\software\microsoft\windows\currentversion\run\
the actual listing was: dB56RTc6g = cfspolcy.exe

SO... in order to try to stop it from being executed before i did the reboot for this log, i did a "modify"
from cfspolcy.exe to cfspolcy.xxx
(i did not want to remove it as I really don't know what this is.)

3)
Spybot popped up in the middle of the scan - and killed TC$10001.exe
It was found in the directory of The Cleaner
Spybot said the ID was "OPTRA"
I deleted any "associated files"

4)
Seemed a lot of the trojans where killed from the realplayer cache directories.
c:\documents and settings\brion.pc-brion\application data\real\realone player\datacache\gpfeat\df44.ini


also a "c:\temp\leaktest.exe" was killed


===============

THIRD: The HijackLog.

Logfile of HijackThis v1.99.0
Scan saved at 12:44:12 AM, on 1/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
c:\jetNT\jsdaemon.exe
C:\WINNT\system32\msupd5.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINNT\system32\zxas.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\WINNT\system32\n?pdb.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\jetNT\DLLCMD32.EXE
C:\jetNT\JETSTAT.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\jetNT\JSFMAN.EXE
C:\Palm\HOTSYNC.EXE
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\vmss\vmss.exe
C:\WINNT\system32\cidaemon.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seniorjobshop.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft IE
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - C:\WINNT\system32\ihdbuqa.dll
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - C:\WINNT\system32\luwdryjq.dll
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - C:\WINNT\system32\lxxubwro.dll
O2 - BHO: SDWin32 Class - {B60175F9-3220-40A9-8F55-7977F988E1E1} - C:\WINNT\system32\tkblk.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [zxas] C:\WINNT\system32\zxas.exe
O4 - HKLM\..\Run: [AutoLoadersF5q1NNSXMaX] "C:\WINNT\system32\cmcclu.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [ChoiceMail] C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
O4 - HKCU\..\Run: [Xgal] C:\WINNT\system32\n?pdb.exe
O4 - HKCU\..\Run: [dB56RTc6g] cfspolcy.xxx
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Aatt] C:\Documents and Settings\brion.PC-BRION\Application Data\ushe.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: DllCmd32.lnk = C:\jetNT\DLLCMD32.EXE
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetNT\JETSTAT.EXE
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} (RyzeAddrCtrl Class) - http://www.ryze.com/RyzeAddr.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/webpub/mapgui...r5/mgaxctrl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: Domain = simplex.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: NameServer = 207.247.82.121,207.247.82.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{49991DB5-A28D-465D-9577-39C7A34B046E}: NameServer = 207.247.82.121,207.247.82.122,207.155.184.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.cadence.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetNT\jsdaemon.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#5
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Please disable TeaTimer until we've finsihed our cleaning. It may interfere with our fixes.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft IE
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - C:\WINNT\Helper101.dll
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - C:\WINNT\system32\ihdbuqa.dll
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - C:\WINNT\system32\luwdryjq.dll
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - C:\WINNT\system32\lxxubwro.dll
O2 - BHO: SDWin32 Class - {B60175F9-3220-40A9-8F55-7977F988E1E1} - C:\WINNT\system32\tkblk.dll
O4 - HKLM\..\Run: [vcmpin] C:\windows\bundles\adl_mteststub.exe
O4 - HKLM\..\Run: [zxas] C:\WINNT\system32\zxas.exe
O4 - HKLM\..\Run: [AutoLoadersF5q1NNSXMaX] "C:\WINNT\system32\cmcclu.exe" /HideDir /HideUninstall /PC="CP.FHB" /ShowLegalNote="nonbranded"O4 - HKLM\..\Run: [Dvx] C:\WINNT\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINNT\system32\vmss\vmss.exe
O4 - HKCU\..\Run: [Xgal] C:\WINNT\system32\n?pdb.exe
O4 - HKCU\..\Run: [dB56RTc6g] cfspolcy.xxx
O4 - HKCU\..\Run: [Aatt] C:\Documents and Settings\brion.PC-BRION\Application Data\ushe.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernet...urferplugin.ocx
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} (RyzeAddrCtrl Class) - http://www.ryze.com/RyzeAddr.CAB
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.cadence.com
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Desktop Messenger\8876480\Program\LDMConf.exe
(Description: Logitech Desktop Manager. Searches for updates for Logitech software. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINNT\Helper101.dll
C:\WINNT\system32\ihdbuqa.dll
C:\WINNT\system32\luwdryjq.dll
C:\WINNT\system32\lxxubwro.dll
C:\WINNT\system32\tkblk.dll
C:\windows\bundles <- this folder
C:\WINNT\system32\zxas.exe
C:\WINNT\system32\cmcclu.exe
C:\WINNT\system32\wsxsvc <- this folder
C:\WINNT\system32\vmss <- this folder
C:\WINNT\system32\n?pdb.exe
C:\WINNT\system32\cfspolcy.xxx
C:\Documents and Settings\brion.PC-BRION\Application Data\ushe.exe
C:\WINNT\system32\msupd5.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#6
Brion

Brion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK.. here we go..

These files did not show up:
C:\WINNT\system32\luwdryjq.dll
C:\WINNT\system32\lxxubwro.dll
C:\WINNT\system32\cmcclu.exe
C:\WINNT\system32\n?pdb.exe
C:\Documents and Settings\brion.PC-BRION\Application Data\ushe.exe
C:\WINNT\system32\msupd5.exe

I did find a file nopdb.exe and moved it to a temp file and await your instructions - put it back or delet

With regard to tkblk.dll - with this I found the following files:
tkblka.xml
tkblkb.xml
tkblkd.exe
tkblke.xml
tkblkf.exe
I moved these to a temp file and await your instructions

Here is the log... i notice i have more BHO no name file :--(

but - have not had a pop up the entire time i have worked on this post....

ANYway.. got to run to work... her is the hijack file.
Thanks again for everything. Brion

Logfile of HijackThis v1.99.0
Scan saved at 12:01:45 PM, on 1/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
c:\jetNT\jsdaemon.exe
C:\WINNT\system32\msupd5.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\jetNT\DLLCMD32.EXE
C:\jetNT\JETSTAT.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Palm\HOTSYNC.EXE
c:\jetNT\JSFMAN.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seniorjobshop.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - (no file)
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - (no file)
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - (no file)
O2 - BHO: (no name) - {B60175F9-3220-40A9-8F55-7977F988E1E1} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [zxas] C:\WINNT\system32\zxas.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [ChoiceMail] C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: DllCmd32.lnk = C:\jetNT\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetNT\JETSTAT.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O16 - DPF: NDWCab -
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} -
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/webpub/mapgui...r5/mgaxctrl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: Domain = simplex.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: NameServer = 207.247.82.121,207.247.82.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{49991DB5-A28D-465D-9577-39C7A34B046E}: NameServer = 207.247.82.121,207.247.82.122,207.155.184.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.cadence.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetNT\jsdaemon.exe
O23 - Service: Miscrosoft Updates Service 5 - Unknown - C:\WINNT\system32\msupd5.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#7
Brion

Brion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
One more thing... The Cleaner pops up and says I can fix your registry..
with boxes marked repair association AND disable scripts...

any suggestions?
Brion
  • 0

#8
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Reset your host file.
ClickHere to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

You may wish to print out a copy of these instructions to follow while you complete this procedure. Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible. Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - (no file)
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - (no file)
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - (no file)
O2 - BHO: (no name) - {B60175F9-3220-40A9-8F55-7977F988E1E1} - (no file)
O4 - HKLM\..\Run: [zxas] C:\WINNT\system32\zxas.exe
O16 - DPF: NDWCab -
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} -
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} -
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} -

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINNT\system32\zxas.exe

Reboot normally.

Please run a free online virus scan here: Needs to be run with Internet Explorer.
http://www.pandasoft...n_principal.htm

Reboot and post a new log.

-=jonnyrotten=- :tazz:
  • 0

#9
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
I'd let The Cleaner fix it. :tazz:

-=jonnyrotten=- ;)
  • 0

#10
Brion

Brion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
i cannot use the link to HostsFileReader.
I get this message.

VirtuaNews Message
You do not have permission to do this action. If you think you should do, please contact the webmaster.
  • 0

Advertisements


#11
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
You must be logged into Geeks to Go when in order to download. If you are and it still doesn't work, then I don't know why, but if you click on the link in my signature to go to my malware page, you can download it from there. It's on the left hand side under "Utilities".

-=jonnyrotten=- :tazz:
  • 0

#12
Brion

Brion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I could not download the HostsFileReader - even when I went to the page directly, there was not a link there.

Searched the net and found a copy.

cleaned with Panda - seemed like a good deep cleaning: here is my log:
cannot seem to clear those no name bho's... any way to find out what they are connected to? Thanks again...

Logfile of HijackThis v1.99.0
Scan saved at 7:14:10 AM, on 1/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
c:\jetNT\jsdaemon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\jetNT\DLLCMD32.EXE
C:\jetNT\JETSTAT.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Palm\HOTSYNC.EXE
c:\jetNT\JSFMAN.EXE
C:\WINNT\system32\cidaemon.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seniorjobshop.com/
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - (no file)
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - (no file)
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - (no file)
O2 - BHO: (no name) - {B60175F9-3220-40A9-8F55-7977F988E1E1} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [ChoiceMail] C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: DllCmd32.lnk = C:\jetNT\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetNT\JETSTAT.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O16 - DPF: NDWCab -
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} -
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/webpub/mapgui...r5/mgaxctrl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.co...oaderSigned.cab
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: Domain = simplex.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: NameServer = 207.247.82.121,207.247.82.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{49991DB5-A28D-465D-9577-39C7A34B046E}: NameServer = 207.247.82.121,207.247.82.122,207.155.184.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.cadence.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetNT\jsdaemon.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#13
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Not sure what those are from. I know 2 of them are from Spybot's Tea Timer. I don't know why they say (no file). I have them too, and when you uninstall Tea Timer they go away. I don't know what the other 4 are from. Maybe the same type of thing with one of the other programs you have, that's why they won't go away. I'll have someone double check for me. In the meantime lets see what happens if we try to do this again.

Remove these ones with Hijack This:

O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - (no file)
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - (no file)
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - (no file)
O2 - BHO: (no name) - {B60175F9-3220-40A9-8F55-7977F988E1E1} - (no file)
O16 - DPF: NDWCab -
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} -
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} -

Remember 2 of those BHO's are from Spybot, so they will definitely come back. Reboot and post a new log. How are things running?

-=jonnyrotten=- :tazz:
  • 0

#14
Brion

Brion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is my log.. seems those no name files are part of something currently running... my system seems to be doing pretty well - no pop ups happening yet...
I really appreciate all the assistance.. Thanks so much...

Anything else I should deal with at this point?

Oh.. are these both AOL?? if so, can I remove them.. I am not sure I trust AOL...

O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Regards,

Brion

Logfile of HijackThis v1.99.0
Scan saved at 8:48:48 PM, on 1/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
c:\jetNT\jsdaemon.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\jetNT\JETSTAT.EXE
C:\Program Files\interMute\SpySubtract\SpySub.exe
c:\jetNT\JSFMAN.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seniorjobshop.com/
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {017C20C1-F86F-11D8-9B25-000ACD002AE3} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89243A65-8CF5-AF03-D168-8F1D826442B2} - (no file)
O2 - BHO: (no name) - {93EE2B74-2F52-63AD-547E-48F289BF2EF1} - (no file)
O2 - BHO: (no name) - {9BD636FA-0AE9-FAF5-76F0-6CD46A68068C} - (no file)
O2 - BHO: (no name) - {B60175F9-3220-40A9-8F55-7977F988E1E1} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRA~1\PopUpCop\PopUpCop.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [ChoiceMail] C:\Program Files\DigiPortal Software\ChoiceMail\ChoiceMail.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetNT\JETSTAT.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\PopUpCop\popupcop.dll/imagenew
O16 - DPF: NDWCab -
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} -
O16 - DPF: {626FE447-E830-4F76-A024-41A20EEECF1A} -
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - ftp://adeskftp.autodesk.com/webpub/mapgui...r5/mgaxctrl.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pu...er/isetupML.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} -
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: Domain = simplex.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A75200D-817C-4B69-8D78-D6ED40727D8C}: NameServer = 207.247.82.121,207.247.82.122
O17 - HKLM\System\CCS\Services\Tcpip\..\{49991DB5-A28D-465D-9577-39C7A34B046E}: NameServer = 207.247.82.121,207.247.82.122,207.155.184.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = global.cadence.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = global.cadence.com
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetNT\jsdaemon.exe
O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: ScsiAccess - Unknown - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINNT\wanmpsvc.exe
  • 0

#15
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
I need to get a second opinion about this log, it looks strange to me. Just hang tight, but in the meantime live by these words:

"Never trust AOL.... Ever! ...No matter what!!"

Me or another staff member will be back with the next instructions.

-=jonnyrotten=- :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP