# Could someone look at this Hijack This Log



## cencoprod (May 27, 2003)

I have had a great deal of trouble with my computer since my teenage son went surfing a few weeks ago. It was as if my computer was Hijacked! I stumbled onto this site while searching for help. I've got pop ups and porn and when on the internet I have to wait seconds for everything I type in to appear. If I drag a scroll bar it takes forever. I have frequent lock ups. Below is a log from a Hijack This report. 
Thanks for any light you can shed on this mystery.

Logfile of HijackThis v1.94.0
Scan saved at 1:03:04 AM, on 5/22/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.martfinder.com/reindex.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=50108
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.klove.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchdef
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.martfinder.com/reindex.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://girlf**k.rompl.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://girlf**k.rompl.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://girlf**k.rompl.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.martfinder.com/reindex.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.martfinder.com/reindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.martfinder.com/reindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchass
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
F1 - win.ini: load=c:\oplimit\ocraware.exe
O1 - Hosts: 66.250.171.164 auto.search.msn.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_4_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IEBHOS.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_4_0.DLL
O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\PROGRAM FILES\ZIPCLIX\ZIPCLIX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Mediascape\One-touch Multimedia Keyboard\KeybdMgr.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\SYSTEM\hpha2mon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\Run: [Shell] c:\ray.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Startup: HP OfficeJet Series 700 StartUp.lnk = C:\Program Files\HP OfficeJet Series 700\bin\HPOstr03.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.terra.es/personal7/loversforever/sv/svchost.exe
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} (eConn Class) - http://econnect.libereco.net/econnect.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_4_0.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0014.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.40best.com/Free_Mp3search.exe
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://e2give.com/downloads/UGO20.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37754.8810069444
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://66.28.46.99/iwasher/pptproactauthcogent/internetwasherpro.cab
O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialer.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://pluginaccess.com/pornmoviepost/Browser_Plugin.cab

I *'d out a couple of foul words.

Craig


----------



## Top Banana (Nov 11, 2002)

Download Spybot S&D. Update it via "Online" tab. Search for and download all updates. Close Internet Explorer, "Check for problems", after scan "Fix selected problems".

Then please post a new HijackThis log.


----------



## TonyKlein (Aug 26, 2001)

I have a question:

In addition to a LOT of malware, you also have both a E2Give browser plugin and ActiveX control:

http://e2give.com/

Did you install those wittingly, and were you aware of their presence?
If you aren't, this needs to be pursued further.

TIA!


----------



## cencoprod (May 27, 2003)

I have downloaded and ran the Spybot S & D. The program found 93 items that were a problem and were corrected. I am posting a new HijackThis log as requested. 
As for the e2give plugin and ActiveX control, I have to admit I not only did not know they were there but don't have a clue what they do.
Thanks for your help in this murky matter.

Craig

Logfile of HijackThis v1.94.0
Scan saved at 12:51:21 AM, on 5/28/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.martfinder.com/reindex.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=50108
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.klove.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchdef
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.martfinder.com/reindex.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://girl****.rompl.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://girl****.rompl.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://girl****.rompl.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.martfinder.com/reindex.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.martfinder.com/reindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.martfinder.com/reindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchass
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
F1 - win.ini: load=c:\oplimit\ocraware.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_4_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IEBHOS.DLL
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_4_0.DLL
O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\PROGRAM FILES\ZIPCLIX\ZIPCLIX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Mediascape\One-touch Multimedia Keyboard\KeybdMgr.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\SYSTEM\hpha2mon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [McAfee Guardian] "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Startup: Media Manager Indexer.lnk = C:\Program Files\Common Files\Microsoft Shared\Media Manager\AIRSVCU.EXE
O4 - Startup: HP OfficeJet Series 700 StartUp.lnk = C:\Program Files\HP OfficeJet Series 700\bin\HPOstr03.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.terra.es/personal7/loversforever/sv/svchost.exe
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_4_0.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0014.cab
O16 - DPF: {D3D83E08-54D1-4E9D-8EAF-9F979D139294} (MaxisSimCityScapeTeleX Control) - http://simcity.ea.com/scape/teleport/MaxisSimCityScapeTeleX.cab
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://e2give.com/downloads/UGO20.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37754.8810069444
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://66.28.46.99/iwasher/pptproactauthcogent/internetwasherpro.cab
O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.com/download/Object/DialerHTML/EGHTMLDialer.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSignedAdvertisingcom.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab


----------



## TonyKlein (Aug 26, 2001)

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, shut down _all_ browser Windows, and have HT fix all checked.

You NEED to restart your computer when you're done.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL=http://www.martfinder.com/reindex.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.couldnotfind.com/search_page.html?&account_id=50108
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.klove.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchdef
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.martfinder.com/reindex.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://girl****.rompl.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://girl****.rompl.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://girl****.rompl.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.martfinder.com/reindex.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.martfinder.com/reindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=http://www.martfinder.com/reindex.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.mp3hi-fi.com/cgi-bin/l/lnk.cgi?l=searchass

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IEBHOS.DLL

O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\PROGRAM FILES\ISTBAR\ISTBAR.DLL
O3 - Toolbar: Zipclix - {319A68DB-06D0-46DA-9F93-A810D5A70836} - C:\PROGRAM FILES\ZIPCLIX\ZIPCLIX.DLL

O4 - HKLM\..\Run: [rb32 lptt01] "c:\program files\rb32\rb32.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {4E15D681-1D20-11D4-8B72-000021DA1956} - http://www.terra.es/personal7/lover.../sv/svchost.exe
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0014.cab
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://e2give.com/downloads/UGO20.exe
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://66.28.46.99/iwasher/pptproac...etwasherpro.cab
O16 - DPF: {B843DA96-2B2D-447E-90AB-B92929AA11AF} (HTMLDialer Class) - http://usa-download.nocreditcard.co...GHTMLDialer.cab
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http//pdf.forbes.com/forbesnews/tr...ertisingcom.cab*

Good luck,


----------



## cencoprod (May 27, 2003)

Tony,

I have completed the required tasks. Is there anything more I need to do. What kind of precautions might I take to keep from getting all this stuff loaded on my computer?

Thanks sooo much!,

Craig


----------



## TonyKlein (Aug 26, 2001)

You're welcome, Craig. 

You may find this a useful read: So how on earth did I get all this spyware in the first place?


----------



## violator (Jul 3, 2002)

I've been having problems with my computer as well, and I noticed that same E2G file on my computer. I have no idea where it came from either. It says that it was put on my computer just last month, and that's about the same time my problems started. Ad-aware doesn't recognize it as spyware, neither does Spybot. I updated both of those programs and ran them after I read this thread, and neither program so much as noticed the plug-in or the file.


----------



## TonyKlein (Aug 26, 2001)

No, this E2Give foistware is pretty recent. We now know it's getting stealth installed in some way, but as yet we're unable to tell how it happens.

It does have everyone's attention, though.

Incidentally, using SpyBot > Tools > BHOs, you can easily toggle the Status of the E2G BHO to 'off'.

Cheers, Tony


----------



## DanStern (Jul 26, 2003)

Thanks folks. 

I run XP Professional with separate login's for the wife and kids. Most of the time we use MSIE 6.whatever (I gave up the fight and have been assimilated 

Yesterday MSIE stopped loading for anyone but me (Admin has his privilege's! albeit only virtually). As usual everyone swears innocence to picking up Gator or any of the other sneaky-ware. 

Here is what everyone was getting. " Microsoft Visual C++ Runtime Library. This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information." 

I checked the hardware and software firewalls for any obvious "admissions" the family may have granted, ran Ad-Aware and got rid of the the built up cookies (and a registry key - Ughhh!) that no-one would admit to (I don't tell them that I can tell) and tried MSIE again. It didn't work so I started the official problem solving

Bein a "guy", I hacked away at it for a while without looking for help or directions. Giving up (and without anyone looking) I googled the error message and poked around. (I am not a forum joiner, too many spam bots dig out your personals). The discussions I read about things people had tried to eliminate the problem were interesting. The advice they were getting was really interesting.

One guy had reloaded XP Pro. He was advised to reload MISE and his drivers. A person could spend all day reloading and wipe all his cool stuff in the process. Just what I want do. Other discussions were no more helpful. 

Finally, I resorted to the old stand by. Uninstall anything I don't recognize (most times checking what it is first). I got to this "E2G" thing, searched "e2g plugin" and ended up on this thread. Aha! Stealth spy crap sneaky ware!

Went back, uninstalled E2G (%^$#&^), and the problem was fixed! 

No reload, no recovery, no reformatting my hard drive, no deciphering dumps, no hosing up the registry, no calls to the hotline holding queue (we don't really have anyone who answers, but I get so ticked holding I forget about the problem), no reseating all the chips, simms, dimms, and boards. You get the drift.

This gets interesting....

Now knowing what I was looking for, I went back to the old router log and found the last MSIE access. I missed it first time around. My kid went to a site he is on his honor (too smart for me to filter) not to visit, New$gr*ounds.com. (Punctuation added to keep them from finding this post).

I confronted the little hoodlum (10) and he admitted it. He added that he just hit the site again from the wireless downstairs. Sure enough I Checked the log and there it was. Now the fun part.

While I was checking the logs, I saw outbound HTTP traffic to:
207.151.118.142 
Which resolves to:
OrgName: Los Nettos
OrgID: LNET
Address: USC Information Sciences Institute
Address: PO Box 11565
City: Marina del Rey
StateProv: CA
PostalCode: 11565
Country: US


Right after that, outbound traffic to Pa$yPa&l.com(punctuation added) port 443.

All that is coming from my internal IP and I aint doin it.

Gotta end this post, and go hack away at it for a while (sound familiar)

Someone else might want to be a hero and go see if that site (or their many "affiliates" is one of the distributors of this E2G thingie.

I got stuff to break ;-)

Later,

DanStern


----------



## NiteHawk (Mar 9, 2003)

It would be interesting to, as Paul Harvey would say, hear the rest of the story.


----------



## DanStern (Jul 26, 2003)

Thanks for the interest in my ongoing saga.

Once again, I applied the tried and true professional diagnostic technique, "try anything 'til something seems like it works, then nod and smile knowingly". (I coulda been a doctor 

I couldn't find anything besides the usual bounced probes in the inbound router logs. While I was in the router, I filtered Port 443. Of course, that won't work long term because it blocks SSL. (It was sorta like locking the door from the inside when you think there might be a prowler in the house. He can't get out but neither can you.)

By now I had an audience, so I nodded, smiled knowingly, and tried something else. Using my trusty, and kid free, laptop (complete with company research funded cell modem card), picked a current version of navdefs and scanned the family box. Nothing. Since the family is always so impressed when I get two computers within 6 feet of each other, I was obliged to nod and smile knowingly anyway.

That is where my pickle sits. What's next? Having turned in my sniffer and propeller beanie, I refuse to read dumps of TCPIP packets. Too much like work. With my bithead in training on the remote box, at the time the incident occurred, the mystery traffic from my internal IP may very well have been originated by something he was running in a remote session. He denies it (as always). I haven't checked the software firewalls, but the freebies won't give me the detail I need to nab the little criminal. He could have easily have been hacking my Paypal to buy anything from Yugioh cards to one of the surplus Crays the Feds have been auctiioning. Ah to be young again.

I think we'll just wait a while and see if it gets worse (Doctor Dan strikes again). If it heals, I fixed it. If it gets worse, I will nod, smile knowingly, and try something else. Meanwhile, if it turns out E2G caused the problem, one of the hard working white hats will pick it up in no time. Then I can fix the problem here, take credit with the family, and retain the status and respect (fear?) that goes with bein Admin.

Take care and be careful out there.

Later,

DanStern


----------



## TheresaK75 (Dec 11, 2003)

Thank you all so much for the information in this post. I got back from my sister's after a week to find my comp had a bunch of new stuff downloaded (including "e2g plugin"), homepage changed and pop-ups all over the place. I am SO unhappy with my dad, who has claimed complete innocence but now I have seen the proof when I checked the webpage logs and it was done when he was the only one here. 
I found this site through msn search and its like a miracle to have found what I needed so quickly to fix my comp. I doubt it will ever be the same again cause for some reason it says that my system restore has been shut off... oh well off to try to fix that now  Thanks again all!


----------



## $teve (Oct 9, 2001)

Welcome Theresa.........We can take a look at your log if you like.

Go to http://www.tomcoyote.org/hjt/ and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere and please copy & paste its contents to the forum AS A NEW POST IN A SEPARATE THREAD.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required....so do NOT "fix" anything yet.
Someone here will be happy to help you analyze the results.



__________________


----------



## chisca (Apr 22, 2004)

here is my log: HEEEELLPPP

Logfile of HijackThis v1.97.7
Scan saved at 6:10:59 PM, on 4/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://martfinder.com/index.htm?aff=4444
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win32.exe] C:\WINDOWS\win32.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## $teve (Oct 9, 2001)

Uninstall "SpyKiller.its a useless piece of crapware!!!

Go to http://computercops.biz/downloads-cat-14.html , and download the latest version of *CWShredder* by Merijn Bellekom, the creator of Hijack This. 
Run it, press 'Fix', and allow it to fix all it finds. 
And remember to click *"Fix"* (Not "Scan only")
After its done its thing hit the*"How do i prevent reinfection"* tab....
In particular pay attention to the patches for the operating system regarding the ByteVerify vulnerability which is how you got infected in the 1st place.

When it is finished restart your computer and post another log.


----------



## buckaroo (Mar 25, 2001)

$teve said:


> Uninstall "SpyKiller.its a useless piece of crapware!!!


Now Steve, I know you have a hard time expressing yourself, so why don't you tell us how you really feel?


----------



## $teve (Oct 9, 2001)

:down:


----------



## hijino (May 31, 2004)

I have been trying to download "hijack this" since this morning and all sites tell me I am not authourized to see this page. What is going on.....


----------



## buckaroo (Mar 25, 2001)

hijino, can you download form here:

http://www.thespykiller.co.uk/


----------



## dumbspyware (Mar 13, 2005)

Hi, lately after just viewing the Internet for a couple minutes my computer would be OVerwhelmed with ads and pop-ups, and I didn't know why. After messing around with Internet explorer, i came upon this site and downloaded spybot and hijack this. spybot didn't eliminate the popups, but something called x-cleaner from this website http://www.spywareguide.com/txt_onlinescan.html did stop all the popups. But just to be sure that all the spyware and ads, pops and junk are fully gone, can someone interpret my hijack this log?

Logfile of HijackThis v1.99.1
Scan saved at 7:09:55 PM, on 3/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spnmkf\Mnzvnz.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\3yux5385\3yux5385.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\bpc_search\BPCv2.exe
C:\WINDOWS\system32\pruttct.exe
C:\WINDOWS\system\gotpc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\?ti2evxx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\pruttct.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kevin and I\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3DF46D33-ABFE-F575-D6ED-860A7B7CA59D} - C:\WINDOWS\system32\jmmxbj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {6632FF0D-F5AC-4B55-AB43-3B5782925195} - C:\Program Files\3yux5385\3yux5385.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SDWin32 Class - {E6F2459A-C237-4364-9BCF-89A144585049} - C:\WINDOWS\System32\rduvw.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AITwoUpdater] "C:\Program Files\AIUpdate\AIUpdate.exe"
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lqXSJv] C:\documents and settings\kevin and i\local settings\temp\lqXSJv.exe
O4 - HKLM\..\Run: [Prqmrkrx] C:\Program Files\Spnmkf\Mnzvnz.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EasyMessage] "C:\Program Files\Easy Messenger\em2.exe" -wait
O4 - HKLM\..\Run: [3yux5385] C:\Program Files\3yux5385\3yux5385.exe
O4 - HKLM\..\Run: [BPCv2] C:\Program Files\bpc_search\BPCv2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Jjrsh] C:\WINDOWS\system32\?ti2evxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\system32\pruttct.exe
O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\system32\pruttct.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9BD549D-A6BE-4102-8A2C-88AF9BE95469}: NameServer = 128.125.253.183,128.125.253.166
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hsc.usc.edu,usc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hsc.usc.edu,usc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hsc.usc.edu,usc.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

if i have any more spyware, i want it gone once and for all. thanks!


----------



## dumbspyware (Mar 13, 2005)

[email protected]! nevermind what I said before..I'm still being flooded by pop up ads!!! They are from ads.deskwizz.com and other sites. I also noticed the E2Give program in the programs directory that REFUSES to be removed, if thats of any problem.


----------



## buckaroo (Mar 25, 2001)

Hi dumbspyware, welcome to TSG.

Just so you know, what you want to do here is start your own post for whatever problem you're having, and not piggy back onto an existing post.

Anyway, we'll get you taken care of...........

In addition to Spybot, you should also have AdAware for your use. Remember, bot Spybot and AdAware are regularly updated, so make sure you check for updates regularly.

Go here and download AdAware:

http://www.majorgeeks.com/download.php?det=506

After installation follow the prompts to download current updates and allow it to do a full system scan.

Everything AdAware finds is safe to delete.

Okay, let's make sure you know how to view hidden files on the PC and to boot to safe mode:

Safe Mode:

http://www.computerhope.com/issues/chsafe.htm

Hidden files:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Open HJT and check the following entries, if still present, click Fix and then REBOOT into safe mode:

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {3DF46D33-ABFE-F575-D6ED-860A7B7CA59D} - C:\WINDOWS\system32\jmmxbj.dll

O2 - BHO: (no name) - {6632FF0D-F5AC-4B55-AB43-3B5782925195} - C:\Program Files\3yux5385\3yux5385.dll

O2 - BHO: SDWin32 Class - {E6F2459A-C237-4364-9BCF-89A144585049} - C:\WINDOWS\System32\rduvw.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A1F6-FC7EB590A97D} - (no file)

O4 - HKLM\..\Run: [lqXSJv] C:\documents and settings\kevin and i\local settings\temp\lqXSJv.exe
O4 - HKLM\..\Run: [Prqmrkrx] C:\Program Files\Spnmkf\Mnzvnz.exe

O4 - HKLM\..\Run: [3yux5385] C:\Program Files\3yux5385\3yux5385.exe
O4 - HKLM\..\Run: [BPCv2] C:\Program Files\bpc_search\BPCv2.exe

O4 - HKCU\..\Run: [Jjrsh] C:\WINDOWS\system32\?ti2evxx.exe

O4 - HKCU\..\Run: [pruttct] C:\WINDOWS\system32\pruttct.exe
O4 - HKCU\..\RunOnce: [pruttct] C:\WINDOWS\system32\pruttct.exe

After rebooting to safe mode, find and delete these files:

C:\documents and settings\kevin and i\local settings\temp\lqXSJv.exe
C:\Program Files\Spnmkf\Mnzvnz.exe
C:\Program Files\3yux5385\3yux5385.exe
C:\Program Files\bpc_search\BPCv2.exe
C:\WINDOWS\system32\?ti2evxx.exe
C:\WINDOWS\system32\pruttct.exe

Reboot to normal mode and go here for an online AV scan:

http://housecall.trendmicro.com/housecall/start_corp.asp

Post a cuurent log in this thread when done, okay?


----------



## dumbspyware (Mar 13, 2005)

Virus Scan 3 viruses detected 


Results:
We have detected 3 infected file(s) with 3 virus(es) on your computer. 
Detected File Associated Virus Name 
C:\Documents and Settings\Kevin and I\Local Settings\Temp\64.exe\64.exe TROJ_RVP.D 
C:\RECYCLER\S-1-5-21-3514733499-2806831494-3112446484-1007\Dc7.exe TROJ_SMALL.SN 
C:\WINDOWS\SYSTEM\gotpc.exe TROJ_STARTPAG.EO 




Trojan/Worm Check No worm/Trojan horse detected 

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer. 
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer.
Trojan/Worm Name Trojan/Worm Type 




Spyware Check 10 spyware programs detected 

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet. 
Results:
We have detected 10 spyware(s) on your computer. 
Spyware Name Spyware Type 
COOKIE_169 Cookie 
COOKIE_211 Cookie 
COOKIE_442 Cookie 
COOKIE_2081 Cookie 
COOKIE_2250 Cookie 
ADW_BADBITOR.A Adware 
COOKIE_3201 Cookie 
ADW_SAHAGENT.A Adware 
COOKIE_3206 Cookie 
ADW_BCPC.A Adware 




Microsoft Vulnerability Check No vulnerability detected 

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix. 
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. 
Risk Level Issue How to Fix


----------



## buckaroo (Mar 25, 2001)

Did you follow the instructions given in the previous post?

Post a current HJT log, okay?


----------



## dumbspyware (Mar 13, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 10:44:53 PM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Piolet\Piolet.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kevin and I\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AITwoUpdater] "C:\Program Files\AIUpdate\AIUpdate.exe"
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [EasyMessage] "C:\Program Files\Easy Messenger\em2.exe" -wait
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9BD549D-A6BE-4102-8A2C-88AF9BE95469}: NameServer = 128.125.253.183,128.125.253.166
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hsc.usc.edu,usc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hsc.usc.edu,usc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hsc.usc.edu,usc.edu
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

Sorry I thought you meant the housecall antivirus scan.
Two things:
I coudln't find these two things
C:\documents and settings\kevin and i\local settings\temp\lqXSJv.exe
C:\WINDOWS\system32\?ti2evxx.exe
I did find one that said C:\WINDOWS\system32\ati2evxx.exe but I wasn't sure if I could delete it.
ALSO, during the AV scan I think I've used it before and it allows you to remove the viruses that it scans, but twice already I pressed "continue" after it scanned assuming it would move on to a window allowing me to remove the viruses, but I encountered an error w/ internet explorer and I was prompted to "send an error report"...so I don't know what happened there, but maybe ill try it again


----------



## $teve (Oct 9, 2001)

Buck....what are you doing in a thread which was started when you were in short pants?


----------



## buckaroo (Mar 25, 2001)

$teve said:


> Buck....what are you doing in a thread which was started when you were in short pants?


     

What can I say Steve?????????

Maybe I'm still wearing those shorts.


----------



## buckaroo (Mar 25, 2001)

dumbspyware, C:\WINDOWS\system32\?ti2evxx.exe is a legitimate file related to your ATI video card, so leave it be.

Your HJT log looks good :up: . I think you're good to go.

Here's another online AV site you can try:

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Make sure you stay current with all MS critical updates.

Check out this thread for more advice on keeping your PC safe:

http://forums.techguy.org/t208517.html


----------

