# [SOLVED] w32.spybot.worm



## wendytyo (Jun 7, 2001)

ok i ran norton 2003 and it found 9 viruses all the same w32.spybot.worm but i can't fix or delete 1 of them it keeps popping up and saying w32.spybot.worm virus found and i have to hit the ok button about 15 times before it will go off can anyone please help me get rid of this virus. i ran hijack log and here it is

Logfile of HijackThis v1.95.0
Scan saved at 11:26:00 PM, on 7/20/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\WINDOWS\System32\LCD.EXE
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Kazaa Lite\kazaa.kpp
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Wendy Tyo\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [Winsock2 driver] LCD.EXE
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Trillian.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## wendytyo (Jun 7, 2001)

norton just came up agin and it said the object name is
c\windows\system\lcd.exe and i had to hit the ok button 20 times before it would go off Please anyone help me


----------



## JayT (Apr 15, 2003)

Since you are using Norton, Symantec has removal instruction for the "Spybot worm" at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

W32.Spybot.Worm is from Kazaa.


----------



## aineo (May 3, 2003)

First of all, I am no expert on this, so I think it would be better to wait for one of the experienced Hijack This analyzers to come around, but I did notice one thing. It appears that you have both AVG and Norton running. This is not a good idea. Something you might try is turning off Norton and running AVG to see if it picks up and fixes the virus. Afterwords, you need to pick which one to use and get rid of the other, or at least turn the less desired program off.

If no one else posts an answer I will let you know what I think is wrong, but I am extremely new at analyzing HT and would hate to give you wrong advice. Someone with experience should be along soon.


----------



## wendytyo (Jun 7, 2001)

i ran avg and it would not pick up anything i just dl norton tonight and thats when it found the 9 viruses fixed 8 of them but could not fix the 9th one


----------



## aineo (May 3, 2003)

another thing you might try is running the online virus scan at www.trendmicro.com .

Concerning AVG, was it updated? Either way, you need to only be running one of the virus scan programs at a time.


----------



## wendytyo (Jun 7, 2001)

yea i scanned with trendmicro and it didn't pick up anything.avg was updated


----------



## aineo (May 3, 2003)

Did you try JayT's suggestion?


----------



## JayT (Apr 15, 2003)

Obviously not.


----------



## dohoanmy (Jul 18, 2003)

i dont see anything wrong in your log ...


----------



## TonyKlein (Aug 26, 2001)

*O4 - HKLM\..\Run: [Winsock2 driver] LCD.EXE*

That one is viral for sure.

Have Hijack This fix it, restart your computer, and delete the C:\WINDOWS\System32\LCD.EXE file itself.

Good luck,


----------



## aineo (May 3, 2003)

wendytyo, *don't take my following advice*, I am just trying to learn more about analyzing HT.

TonyKlein, as I said in another post yesterday, I am trying to learn more about analyzing HT. I thought that O4 - HKLM\..\Run: [Winsock2 driver] LCD.EXE was bad, but I also felt the following entries could be removed.

*R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm*

*O4 - Startup: Trillian.lnk = ?*

Was I totally wrong, or are they unnecessary entries?

I hope my questions aren't bothering you. I think it is the best way to learn.


----------



## TonyKlein (Aug 26, 2001)

You can have Hijack This fix those as well.

In the case of the R0 item it will restore the Windows default for that Start Page registry entry.

The Trillian Startup entry may be an orphaned one. If you're not running Trillian any more, or if you do, but you don't want it to start up as Windows starts, have HT fix that one as well.


----------



## aineo (May 3, 2003)

Thanks for taking the time to explain that.


----------



## TonyKlein (Aug 26, 2001)

No prob!


----------



## wendytyo (Jun 7, 2001)

Hi i tried tonyklines advice and deleted that from hijackthis log restared and tried to delete c\windows\system32\lcd.exe but it will not let me delete it it keeps saying accsess denied


----------



## VirtualMe (Sep 27, 2002)

It may have Read Only ticked.

Try this.

click on My Computer

C:\

windows

system32

right click on *lcd.exe*

properties

untick the Read Only

Apply

OK

then see if you can delete *lcd.exe*


----------



## wendytyo (Jun 7, 2001)

hi i went and unticked everything that was ticked and tried to delete and still would not delete just a note the read only was not ticked anyway. i tried to do a system restore and it would not let me i will not even let me ctrl alt delete


----------



## TonyKlein (Aug 26, 2001)

Did you restart your computer after having Hijack This fix its startup entry, as I advised you to do.
If you didn't, it's logical it won't let itself be deleted.

But try deleting the file in Safe Mode. That shouldn't be a prob:

How to start the computer in Safe Mode


----------



## wendytyo (Jun 7, 2001)

yes i restarted and went straight the file and tried to delete it and it would not let me


----------



## TonyKlein (Aug 26, 2001)

OK, then do try in Safe Mode.


----------



## wendytyo (Jun 7, 2001)

ok did it in safe mode and it deleted but i ran hijackthis log and it cameup with O4 - HKLM\..\Run: [Winsock2 driver] LCD.EXE agin and i fixed it agin going to restart agin and see if it come back up will post log


----------



## TonyKlein (Aug 26, 2001)

Well, that's just a harmless startup entry, now that the file itself is gone.

Have Hijack This fix it, and you should be fine.


----------



## wendytyo (Jun 7, 2001)

Logfile of HijackThis v1.95.0
Scan saved at 11:34:17 AM, on 7/21/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Documents and Settings\Wendy Tyo\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Trillian.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/80a25dd3ec062c/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## TonyKlein (Aug 26, 2001)

A clean log!

Well done.


----------



## wendytyo (Jun 7, 2001)

thank u very much i am running norton now to see if clean so far so good


----------



## shireen (Jul 25, 2003)

Hi, I've got it too and my antivirus program has bad virus update files, or something like that, so i was forced to uninstall it; i'm trying it AGAIN. Meanwhile, can anyone take a quick look and tell me which of these needs to go?
Thanks!

Logfile of HijackThis v1.95.1
Scan saved at 10:49:49 PM, on 7/24/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\essspk.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NetZero\zCast.exe
C:\Program Files\NetZero\chkras.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Admin\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\WUAUMQR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\MSIEXEC.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\McAfee\VirusScan Wireless\McEPOC.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\Rulaunch.exe
C:\Documents and Settings\Admin\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003071801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37795.9592824074
O17 - HKLM\System\CCS\Services\Tcpip\..\{31E1A3A9-7A96-446F-8A14-B3671DBB719D}: NameServer = 64.136.28.120 64.136.28.133


----------



## Flrman1 (Jul 26, 2002)

shireen

Run Hijack This again and put a chek by these. Close all browser windows and "Fix checked"

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{31E1A3A9-7A96-446F-8A14-B3671DBB719D}: NameServer = 64.136.28.120 64.136.28.133

Restart your computer.


----------



## lyonmsu (Aug 3, 2003)

This entry I already removed from my log bsed on earlier messages:

O17 - HKLM\System\CCS\Services\Tcpip\..\{F4BB32A4-DE9B-4A46-8B93-39183125E622}: NameServer = 151.164.1.8 151.164.11.201

Below is my current log and I was wondering if any other entries need to be removed:

---

Logfile of HijackThis v1.96.0
Scan saved at 1:39:39 AM, on 8/3/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NMapWin\bin\nmapserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Mixer.exe
C:\WINNT\system32\JupitCo.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\PROGRA~1\PDFCRE~1\PDFLoader.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BEC59B9A-1545-44FD-863B-6E07B5BE8BEC} - C:\Program Files\OpenSTA\Engines\Web\Modeller\CaptureBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [PDFCreator] C:\PROGRA~1\PDFCRE~1\PDFLoader.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winsock2 driver] EXPLORER.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yse/yinstmulti.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37734.8959027778
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## sa1794 (Aug 3, 2003)

I use Norton Corporate Edition 7.6. My file system realtime protection detects the same virus on my computer: w32.spydot.worm. The effected file is c:\winnt\system32\explorer.exe

Norton said it can't clean it or quarantine it. The access to the file is denied. So I tried to delete this explorer.exe file from the system32 folder, but it wouldn't allow me to delete it(saying it's being used).


I tried to use Trendmicro Houscall to scan my computer. It said it caught the virus worm_spydot.gen and cleaned it. But after the scan was complete, the Norton Antivirus Notification still pops up saying: 

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.Spybot.Worm
File: C:\WINNT\system32\explorer.exe
Location: C:\WINNT\system32
Computer: mycomputer
User: me
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sun Aug 03 09:37:40 2003

So what's going on? Can anyone help please?

Thanks!


----------



## Flrman1 (Jul 26, 2002)

lyonmsu 

Welcome to TSG!

Looks like a clean log to me.


----------



## Flrman1 (Jul 26, 2002)

sa1794

Welcome to TSG!

First go here http://housecall.trendmicro.com/ and do an online virus scan.

Next please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijachthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless. Someone here will be glad to advise you on what to fix.


----------



## sa1794 (Aug 3, 2003)

> _Originally posted by flrman1:_
> *sa1794
> 
> Welcome to TSG!
> ...


Here's the log:

Logfile of HijackThis v1.96.0
Scan saved at 10:48:12, on 2003-8-3
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\savedump.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cba\pds.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NAV\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\Explorer.exe
C:\WINNT\EXPLORER.EXE
C:\WINNT\loadqm.exe
C:\PROGRA~1\NAV\vptray.exe
C:\PROGRA~1\Save\Save.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WeatherCast\Weather.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\system32\ntvdm.exe
C:\PROGRA~1\NJSTAR~1\NJCOM32.EXE
C:\PROGRA~1\NJSTAR~1\NJSIME.EXE
C:\Documents and Settings\Shaun Au\×ÀÃæ\HijackThis.exe

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Program Files\CommonName\Toolbar\CNBabe.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Winsock2 driver] EXPLORER.EXE
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Global Startup: ntuser.pol
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O11 - Options group: [CommonName] CommonName
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (BlueskyAudio Class) - http://202.96.140.88/vchat/blueskyvoice.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## lyonmsu (Aug 3, 2003)

sa1794,

I had the exact same issue with explorer.exe. (which was one of the reasons I found myself on this site). Other more knowledgable members may have a better solution thant this but here is how I rectified the solution. First off explorer.exe is a system file used for managing the file systems in Windows and therefore it cannot be deleted or quarantined while running windows on that computer (nice huh). What I ended up doing is the following:

(NOTE: This requires a 2nd uninfected PC with the EXACT same version of the OS.)

1. Remove the hard drive with the infected file from the infected system.

2. Install the infected drive as a secondary drive on the uninfected system with the EXACT same version of the OS.

3. Move the INFECTED version of [drive letter]:\WINNT\system32\explorer.exe of the file to a secondary locaction for recovery purposes (ie. I moved it to a folder call c:\badfiles).

4. Copy the UNINFECTED version of c:\WINNT\system32\explorer.exe to the secondary drives [drive letter]:\WINNT\system32\ loxation.

5. Uninstall the previously infected secondary drive and reinstall it as the primary drive on the original infected systm.

6. Boot up the computer and rerun your Antivirus program over your system. If everything was done properly it should find the infected version of the explorer.exe file in the temporary holding location (ie. c:\badfiles) and allow you to quarantinve it. Meanwhile the copied uninfected version of exploerer.exe in the WINNT\System32 folder should not display as infected.

---

A little bit of pain of uninstalling and reinstalling the drive but if you have access to another computer with the same OS it beats having to redo the entire OS installation and worrying about how to back up your files without infecting them further.

If there is a better method I would like to hear it but this is how I got past it.

Good luck.


----------



## sa1794 (Aug 3, 2003)

> _Originally posted by lyonmsu:_
> *sa1794,
> 
> I had the exact same issue with explorer.exe. (which was one of the reasons I found myself on this site). Other more knowledgable members may have a better solution thant this but here is how I rectified the solution. First off explorer.exe is a system file used for managing the file systems in Windows and therefore it cannot be deleted or quarantined while running windows on that computer (nice huh). What I ended up doing is the following:
> ...


unfortunately, I don't have another pc with the exact OS.   

Wha am I suppose to do???


----------



## Flrman1 (Jul 26, 2002)

sal794

I don't see much in your log. Before we proceed further with what may need to be removed using HT. Go here http://www.trendmicro.com/download/tsc.asp and download and run the Trend Micro System cleaner. Be sure you get the one "For Non-Users of Trend Micro Products" and follow the instructions for installing the latest pattern file.

Then post another HT log.


----------



## lyonmsu (Aug 3, 2003)

sa1794,

Sorry, I realize not everyone has access to a 2nd PC to do what I did but it was the only way I could think of to get around the system file issue.

Unless others have better suggestions you may want to see if any of your family/friends/neighbors/coworkers have a PC with the same OS on it as yours. If they and/or you could work together to install you hard drive on their system and do the move and copy process it should not involve infecting their system at all since you are copying an uninfected file FROM their system TO your hard drive. (Of course you would probably want to make sure they have virus protection on their system and that file is not ifnected before you go through all the trouble).

Other than that I think you would be stuck with reformatting and reinstaling your OS.  

Hope somebody has a better solution for you than doing that though if this family/friend/neighbors/coworkers option is not feasible.

Good luck.


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by flrman1:_
> *sal794
> 
> I don't see much in your log. Before we proceed further with what may need to be removed using HT. Go here http://www.trendmicro.com/download/tsc.asp and download and run the Trend Micro System cleaner. Be sure you get the one "For Non-Users of Trend Micro Products" and follow the instructions for installing the latest pattern file.
> ...


----------



## sa1794 (Aug 3, 2003)

> _Originally posted by flrman1:_
> *sal794
> 
> I don't see much in your log. Before we proceed further with what may need to be removed using HT. Go here http://www.trendmicro.com/download/tsc.asp and download and run the Trend Micro System cleaner. Be sure you get the one "For Non-Users of Trend Micro Products" and follow the instructions for installing the latest pattern file.
> ...


hi,

I've just downloaded the For Non-Users of Trend Micro Products System Cleaner. I installed the program. But when I lauch the program, it says the file "TSC.BIN" is missing. So what's going on? Where can I find this TSC.BIN file?

Thanks.

Oh, I got it to worked. Never mind.

Here's the log.

TSC Version 3.0(Build 1053)
Windows 2000(Build 2195: )

Start time : Sun Aug 03 23:57:24 2003

Load pattern file "C:\Documents and Settings\my computer\desktop\tsc.ptn" (version 149) [success]
PE_ELKERN.A[virus not found]
PE_ELKERN.B[virus not found]
PE_ELKERN.C[virus not found]
WORM_KLEZ[virus not found]
WORM_KLEZ.A[virus not found]
WORM_KLEZ.B[virus not found]
WORM_KLEZ.C[virus not found]
WORM_KLEZ.D[virus not found]
WORM_KLEZ.E[virus not found]
WORM_KLEZ.F[virus not found]
WORM_KLEZ.G[virus not found]
WORM_KLEZ.H[virus not found]
WORM_KLEZ.I[virus not found]
WORM_KLEZ.J[virus not found]
PE_ELKERN.D[virus not found]
WORM_LIRVA.C[virus not found]
WORM_LIRVA.A[virus not found]
WORM_XPLORZIP.F[virus not found]
BKDR_GRASKET.A[virus not found]
WORM_MERKUR.A[virus not found]
W97M_MARKER.JH[virus not found]
VBS_LIKUN.C[virus not found]
VBS_LIKUN.B[virus not found]
BKDR_REVERSE.20[virus not found]
WORM_GAZE.A[virus not found]
BKDR_SDBOT.05.B[virus not found]
TROJ_RACKUM.A[virus not found]
TROJ_FLOOD.C[virus not found]
WORM_BAJAR.B[virus not found]
BKDR_SCLOG.20[virus not found]
WORM_OPASERV[virus not found]
BKDR_LITMUS.203[virus not found]
WORM_MYPOWER.B[virus not found]
TROJ_PSW.CARA[virus not found]
WORM_BRAID.A[virus not found]
TROJ_BRIGA.A[virus not found]
BAT_MIGRATE.A[virus not found]
BKDR_RSM.25[virus not found]
TROJ_DASMIN.A[virus not found]
BAT_NOBRAIN.A[virus not found]
WORM_PRODVIN.A[virus not found]
WORM_BUZZARD.A[virus not found]
BKDR_Y3KRATPRO.A[virus not found]
TROJ_SNART.A[virus not found]
TROJ_KBLUP.A[virus not found]
TROJ_LAMLITE.A[virus not found]
WORM_LAVEHN.A[virus not found]
TROJ_SPBINA102.A[virus not found]
BKDR_FR.A[virus not found]
BKDR_NETBUS.BR[virus not found]
VBS_ZULU.B[virus not found]
BKDR_IRCINTER.A[virus not found]
WORM_LAMA.A[virus not found]
BKDR_KAITEN.A[virus not found]
BKDR_FR.155.A[virus not found]
WORM_HYBRIS[virus not found]
WORM_GONER.A[virus not found]
WORM_BADTRANS.A[virus not found]
WORM_RODOK.A[virus not found]
TROJ_KATIEN.C[virus not found]
JS_WHITEHOME.A[virus not found]
PE_WEIRD[virus not found]
TROJ_SUA.A[virus not found]
BKDR_NETBUS.C[virus not found]
VBS_HAPTIME[virus not found]
VBS_KALAMAR.A[virus not found]
WORM_BUGBEAR.A[virus not found]
PE_FUNLOVE.4099[virus not found]
TROJ_YAB.A[virus not found]
TROJ_INTTEST.A[virus not found]
WORM_BOOSTAP.A[virus not found]
W97M_DEEDEE.D[virus not found]
VBS_CORICA.A[virus not found]
TROJ_BUIZIT.A[virus not found]
TROJ_FENDER.A[virus not found]
VBS_LOVELETTR.AS[virus not found]
BKDR_YESKON.A[virus not found]
WORM_MENACE.A[virus not found]
WORM_MYBA.A[virus not found]
WORM_MYLIFE.B[virus not found]
BKDR_ANTILAM.20[virus not found]
WORM_FRETHEM.K[virus not found]
WORM_GISMOR.A[virus not found]
WORM_VODNI.A[virus not found]
BAT_NEDAL.A[virus not found]
TROJ_AIDER.A[virus not found]
WORM_UNIS.A[virus not found]
PE_XANAX.A[virus not found]
TROJ_RODASIVA.A[virus not found]
TROJ_SHORM.B[virus not found]
W97M_NSI.F[virus not found]
WORM_MATCHER.A[virus not found]
WORM_DANDI.A[virus not found]
BKDR_EVILBOT.A[virus not found]
BKDR_DSNX.05[virus not found]
BKDR_EXPJAN.A[virus not found]
VBS_SEALUG.A[virus not found]
BKDR_BLUEFIRE.A[virus not found]
BKDR_MUSKA.E[virus not found]
BKDR_TOADCOM.A[virus not found]
TROJ_JAPSX.A[virus not found]
WORM_MALDAL.G[virus not found]
VBS_WASAP.A[virus not found]
VBS_REDLOF[virus not found]
WORM_UGIG.A[virus not found]
WORM_TARIPOX.B[virus not found]
WORM_FISHLET.A[virus not found]
BKDR_ANTILAM.13[virus not found]
TSCTESTFILE[virus not found]
BKDR_PEEPER.10[virus not found]
BKDR_REVREM.A[virus not found]
VBS_FIREBURN.A[virus not found]
VBS_PETIK.H[virus not found]
VBS_PICA.N[virus not found]
VBS_WITHIN.A[virus not found]
WORM_ASSARM.A[virus not found]
WORM_CERVIVEC.A[virus not found]
WORM_GUBED.A[virus not found]
WORM_MALDAL.K[virus not found]
WORM_NAVIDAD.E[virus not found]
WORM_SOLVINA.B[virus not found]
WORM_GOKAR.A[virus not found]
WORM_MALDAL.E[virus not found]
WORM_SAMBUD.A[virus not found]
WORM_ZHANGPO.A[virus not found]
WORM_MYLIFE.C[virus not found]
WORM_PETIK.M[virus not found]
BKDR_GALAXY.A[virus not found]
BKDR_NINJASPY.A[virus not found]
VBS_HACKERX.A[virus not found]
BKDR_LOADR32.A[virus not found]
WORM_OXMILK.A[virus not found]
BKDR_SDBOT.B[virus not found]
BAT_MIKRO.A[virus not found]
JS_SEEKER.EH[virus not found]
WORM_DENA.A[virus not found]
TROJ_GIP.113.B1[virus not found]
WORM_CERVICEC.A[virus not found]
JS_EXCEPTION.R[virus not found]
JS_SEEKER.EG[virus not found]
BKDR_LAMER.B[virus not found]
WORM_MYLIFE.A[virus not found]
BKDR_THREAT.SVR[virus not found]
BKDR_WINLOCK.A[virus not found]
W97M_PACOL.A[virus not found]
WORM_KITRO.A[virus not found]
TROJ_GREATPAGE.A[virus not found]
TROJ_GOP196[virus not found]
TROJ_MADO.A[virus not found]
JS_IESTART.D[virus not found]
REG_SEEKER.C[virus not found]
TROJ_HOPE.A[virus not found]
BKDR_GHOST.23[virus not found]
TROJ_GIFT25.A[virus not found]
VBS_REDIRECT.A[virus not found]
TROJ_REGBACK.B[virus not found]
WORM_SILIN.A[virus not found]
VBS_LEE.CM[virus not found]
BKDR_PSYCH10.SVR[virus not found]
BKDR_LTLWTCH.A[virus not found]
JS_IESTART.C[virus not found]
BKDR_SUB723B[virus not found]
BKDR_NETDEVIL.B[virus not found]
WORM_DAZME.A[virus not found]
TROJ_IDIPSW.A[virus not found]
TROJ_JOINRFRDY.D[virus not found]
WORM_FREETRIP.B[virus not found]
WORM_SIDEX.A[virus not found]
WORM_SPESTER.A[virus not found]
VBS_VBSWG.U[virus not found]
BKDR_ALMASTER.A[virus not found]
TROJ_NETDEVIL.D[virus not found]
JS_GIGGER.A[virus not found]
TROJ_LOVEADOT.D[virus not found]
TROJ_MAGIC.A[virus not found]
VBS_VANINA.D[virus not found]
TROJ_TIGHT.A[virus not found]
WORM_MYPICS.I[virus not found]
BKDR_THF.A[virus not found]
TROJ_ANITA.A[virus not found]
TROJ_SUBSEVN.213[virus not found]
BKDR_FTP.A[virus not found]
BKDR_DARKIRC.QZ[virus not found]
WORM_FUNSOUL.A[virus not found]
TROJ_ULTIMAT[virus not found]
TROJ_ANAKHA.A[virus not found]
TROJ_WHISTLER.A[virus not found]
BKDR_GIFT.E[virus not found]
BKDR_WINATAD.SVR[virus not found]
TROJ_BIONET.315[virus not found]
TROJ_SHUTDOWN.A[virus not found]
TROJ_FINALDO.B[virus not found]
BKDR_LAMER.A1[virus not found]
TROJ_INF.SVR.20[virus not found]
WORM_SHOHO[virus not found]
WORM_MALDAL.C[virus not found]
WORM_BADTRANS.B[virus not found]
TROJ_WIDGET64.A[virus not found]
JS_EXITW.A[virus not found]
WORM_SCORPION.A[virus not found]
TROJ_NETSPHER.A[virus not found]
VBS_CUERPO.A[virus not found]
TROJ_DROPPER.A[virus not found]
WORM_EXPZIPWMPAK[virus not found]
WORM_EXPLORZIP.M[virus not found]
TROJ_TOXOPLAS.A[virus not found]
WORM_PET.TICK.Q[virus not found]
WORM_PET.TICK.R[virus not found]
TROJ_COCED.226[virus not found]
BKDR_MHT.A[virus not found]
TROJ_ZOEK.A[virus not found]
W97M_DDEEXEC.A[virus not found]
BKDR_CYBERJACK.A[virus not found]
BKDR_SLACKBOT.G[virus not found]
IRC_GRIBBLE.A[virus not found]
WORM_ENVIAR.A[virus not found]
TROJ_PSW.HUG[virus not found]
TROJ_SECTORINF.A[virus not found]
TROJ_SERNEL.A[virus not found]
WORM_DESOR.A[virus not found]
TROJ_JESTRO.A[virus not found]
JS_SEEKER.R[virus not found]
VBS_ERUL.A[virus not found]
WORM_SIRCAM.B[virus not found]
BKDR_SBOT.B.SVR[virus not found]
TROJ_DESIRE.A[virus not found]
VBS_INFEKTOR.A[virus not found]
TROJ_VOTE[virus not found]
WORM_ATIRUS.A[virus not found]
TROJ_BIONET.318A[virus not found]
NE_SYSDATA.A[virus not found]
BKDR_BLUE.A[virus not found]
BKDR_GWGIRL.B[virus not found]
TROJ_PAMELA.A[virus not found]
TROJ_BRAIN.A[virus not found]
BKDR_FINDER.A[virus not found]
PE_NETSCAN.A[virus not found]
TROJ_PSW.VXSKEY[virus not found]
VBS_XPJUNEXP.D[virus not found]
VBS_PEACE.A[virus not found]
VBS_THEA.A[virus not found]
BKDR_MOONPIE.A[virus not found]
WORM_APOST.A[virus not found]
WORM_ANDROID.B[virus not found]
WORM_ANDROID.A[virus not found]
TROJ_BAROK.10[virus not found]
TROJ_AOL.BUDDY[virus not found]
BKDR_GIRLFRIEND[virus not found]
BKDR_GLACIER.A[virus not found]
TROJ_ICKILLER.A[virus not found]
TROJ_ICKILLER.B[virus not found]
BKDR_BO2K[virus not found]
TROJ_ICQ.NUKE[virus not found]
WORM_MYPICS.B[virus not found]
WORM_PLAGE.A[virus not found]
TROJ_PSW.BLADE[virus not found]
TROJ_TEXTO.A[virus not found]
BKDR_BLA.502[virus not found]
WORM_SKA.A[virus not found]
TROJ_TRINOO[virus not found]
TROJ_BACKDOOR-AC[virus not found]
BKDR_ASYLUM[virus not found]
TROJ_AntiBTC.C[virus not found]
TROJ_DEEPTHROAT[virus not found]
WORM_WINEXT.A[virus not found]
TROJ_WSPOOL[virus not found]
TROJ_XCTP[virus not found]
TROJ_ANTIQFX[virus not found]
TROJ_ASPAM.A[virus not found]
TROJ_ASPAM.B[virus not found]
BKDR_NETBUS.12[virus not found]
BKDR_NBSPY.B[virus not found]
BKDR_NBSPY.NB[virus not found]
BKDR_NETSPY.110[virus not found]
BKDR_SUB7.21.F[virus not found]
TROJ_SUB7.213.B[virus not found]
BKDR_SUB7.BONUS[virus not found]
BKDR_BIRDSPY.SVR[virus not found]
TROJ_WINSOUND[virus not found]
VBS_BUBBLEBOY[virus not found]
VBS_STAGES.A[virus not found]
VBS_TIMOFONICA[virus not found]
VBS_EXPOSED[virus not found]
VBS_FOOL.A[virus not found]
VBS_FREELINK[virus not found]
VBS_KAKWORM[virus not found]
VBS_LOVELETTER[virus not found]
VBS_LOVELETTR.BA[virus not found]
VBS_LOVELETTR.BD[virus not found]
VBS_LOVELETTR.BF[virus not found]
VBS_LOVELETTR.BH[virus not found]
WORM_EXPLORZIP.C[virus not found]
WORM_EXPLOZIP.IT[virus not found]
TROJ_NETBUS.170[virus not found]
WORM_PRETTYPARK[virus not found]
WORM_SOUTHPARK.A[virus not found]
BKDR_SUB7.16.A[virus not found]
TROJ_SUB7.20[virus not found]
BKDR_SUB7.19[virus not found]
BKDR_SUB7.20[virus not found]
TROJ_SUB721.F[virus not found]
BKDR_SUB7.12[virus not found]
BKDR_SUB7.13[virus not found]
TROJ_SUB7.213[virus not found]
BKDR_SUB7.DROP[virus not found]
VBS_GORUM.A[virus not found]
BKDR_THE_THING.A[virus not found]
TROJ_SONIC[virus not found]
BKDR_SUBZERO.A[virus not found]
TROJ_APS.216576[virus not found]
TROJ_QAZ.A[virus not found]
WORM_NAVIDAD.A[virus not found]
WORM_BYMER[virus not found]
WORM_SIRCAM.A[virus not found]
WORM_MTX.A[virus not found]
WORM_PROLIN.A[virus not found]
WORM_ZOHER[virus not found]
WORM_MYPARTY.A[virus not found]
WORM_BLEBLA.A[virus not found]
TROJ_CODERED[virus not found]
PE_NIMDA.A[virus not found]
PE_NIMDA.B[virus not found]
PE_NIMDA.C[virus not found]
PE_NIMDA.D[virus not found]
PE_NIMDA.E[virus not found]
BKDR_IRCSDBOT.G[virus not found]
TROJ_INOR.A[virus not found]
TROJ_INOR.B[virus not found]
TROJ_HOBENE.A[virus not found]
BKDR_IRCSDBOT.I[virus not found]
BKDR_DINDANG.A[virus not found]
TROJ_MULTASK.A[virus not found]
BAT_BONG.A[virus not found]
CHM_TALORM.A[virus not found]
BKDR_IRCSBOT.GEN[virus not found]
WORM_HOBBIT.C[virus not found]
WORM_FREGIT.A[virus not found]
BKDR_AMB.A[virus not found]
WORM_WINEVAR.A[virus not found]
WORM_SOLTERN.A[virus not found]
WORM_FREGIT.B[virus not found]
WORM_FORLORN.A[virus not found]
BKDR_CONTACT.A[virus not found]
TROJ_TANIA.A[virus not found]
WORM_HOLAR[virus not found]
TROJ_SENAD.A[virus not found]
TROJ_GOLOGGER.A[virus not found]
WORM_BALAN.A[virus not found]
TROJ_FLOOD.BI.DR[virus not found]
WORM_ACINT.A[virus not found]
TROJ_AMOR.B[virus not found]
WORM_FRIENDGRT.A[virus not found]
VBS_LIKUN.A[virus not found]
VBS_HYPOTH.A[virus not found]
TROJ_GHOSTGIRL.A[virus not found]
WORM_OROR.B[virus not found]
WORM_FRIENDGRT.B[virus not found]
WORM_GOP.F[virus not found]
TROJ_SAZO.A[virus not found]
BKDR_LAST2000.B[virus not found]
WORM_SACHIEL.C[virus not found]
BKDR_CBLADE.D[virus not found]
BKDR_TASKREG.A[virus not found]
IRC_HETRAD.A[virus not found]
WORM_OROR.H[virus not found]
WORM_ALCAUL.AE[virus not found]
WORM_PARVED.A[virus not found]
WORM_YAHA.K[virus not found]
WORM_NETAV.A[virus not found]
WORM_YAHA.L[virus not found]
WORM_YAHA.A[virus not found]
WORM_YAHA.M[virus not found]
TROJ_DASMIN.C[virus not found]
BKDR_ANK.A[virus not found]
WORM_YAHA.G[virus not found]
VBS_LICHAR.A[virus not found]
VBS_VBSWG.M[virus not found]
BKDR_DELF.DA[virus not found]
WORM_RECORY.A[virus not found]
WORM_YAHA.B[virus not found]
WORM_YAHA.D[virus not found]
WORM_YAHA.J[virus not found]
WORM_AGOBOT.A[virus not found]
WORM_RECERV.A[virus not found]
PE_IDTSYS.A-O[virus not found]
TROJ_SYSTENTRY.A[virus not found]
WORM_SQLP1434.A[virus not found]
WORM_NETSPREE.A[virus not found]
BKDR_ZDEMON.10[virus not found]
VBS_GAGGLE.C[virus not found]
VBS_MOON.L[virus not found]
VBS_CIAN.A[virus not found]
VBS_CIAN.C[virus not found]
WORM_OROR.L[virus not found]
PE_DUPATOR.1503[virus not found]
PE_LOVGATE.I-N[virus not found]
WORM_LOVGATE.B[virus not found]
WORM_LOVGATE.C[virus not found]
WORM_LOVGATE.D[virus not found]
WORM_GIBE.B[virus not found]
WORM_YAHA.P[virus not found]
WORM_KAZMOR.A[virus not found]
WORM_DELODER.A[virus not found]
WORM_BIBROG.C[virus not found]
PE_PARITE.A[virus not found]
WORM_LOVGATE.F-G[virus not found]
WORM_OROR.AI[virus not found]
TROJ_SPEEDIA.C[virus not found]
WORM_CULT.A[virus not found]
WORM_WANOR.A[virus not found]
WORM_AGOBOT.E[virus not found]
WORM_LOVGATE.A[virus not found]
WORM_NICEHELLO.A[virus not found]
BKDR_IROFFER.A[virus not found]
TROJ_APHER.H[virus not found]
TROJ_KILLAV.P[virus not found]
BKDR_SDBOT.05.AX[virus not found]
TROJ_INNENET.A[virus not found]
WORM_DEBORM.R[virus not found]
VBS_LOVELORN.A[virus not found]
WORM_DEBORM.Q[virus not found]
VBS_ATOMIC.A[virus not found]
BKDR_OPTIXPRO.12[virus not found]
BKDR_IRCFLOOD.GI[virus not found]
WORM_FIZZER.A[virus not found]
WORM_SOBIG.B[virus not found]
PE_HEZHI.A[virus not found]
WORM_MELARE.A[virus not found]
WORM_SOBIG.C[virus not found]
BAT_SPYBOT.A[virus not found]
PE_BUGBEAR.B[virus not found]
WORM_MOFEI.B[virus not found]
WORM_MOFEI.A[virus not found]
TROJ_CHECKIN.B[virus not found]
WORM_NARIK.A[virus not found]
WORM_SPYBOT.GEN[virus found]
BKDR_IROFFER12.A[virus not found]
WORM_SOBIG.D[virus not found]
WORM_SOBIG.E[virus not found]
WORM_MUMU.B[virus not found]
WORM_KLEXE.A[virus not found]
TROJ_ZASIL.B[virus not found]
WORM_RANDEX.C[virus not found]
BKDR_SLAS.A[virus not found]
PE_VALLA.A[virus not found]
BKDR_SDBOT.P[virus not found]
WORM_MYLIFE.M[virus not found]
IRC_SERVU.A[virus not found]
WORM_SOBIG.A[virus not found]
WORM_MOFEI.C[virus not found]
WORM_GRAPS.A[virus not found]
PE_GIWIN.C[virus not found]
TROJ_QQSENDMSG.A[virus not found]
WORM_MOUSELOM.A[virus not found]
WORM_MOFEI.D[virus not found]
WORM_YAHA.T[virus not found]
BKDR_REBBEW.A[virus not found]
BKDR_KOTN.A[virus not found]
WORM_RANDEX.D[virus not found]
WORM_JANTIC.B[virus not found]
WORM_SACHIEL.F[virus not found]
WORM_JANTIC.F[virus not found]
BKDR_SDBOT05.A[virus not found]
WORM_WARPIGS.A[virus not found]
BKDR_SDBOT.A[virus not found]
BKDR_FLUXAY.A[virus not found]
BKDR_LANFILT.B[virus not found]
TROJ_SINIS.A[virus not found]
WORM_WINUR.C[virus not found]
WORM_FIBOT.022[virus not found]
WORM_MALDAL.D[virus not found]
BKDR_Y3KRAT.02[virus not found]
BAT_IROFFER12.A[virus not found]
TROJ_CLICKER.B[virus not found]
BKDR_RUSSKI.A[virus not found]
WORM_MIMAIL.A[virus not found]

Complete time : Sun Aug 03 23:57:55 2003

Execute pattern count(476), Virus clean count(1), Clean failed count(0)


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries. Close all windows except HijackThis before fixing.

O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Program Files\CommonName\Toolbar\CNBabe.dll
O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [Winsock2 driver] EXPLORER.EXE
O8 - Extra context menu item: Add A Page Note - C:\Program Files\CommonName\Toolbar\createnote.htm
O8 - Extra context menu item: Bookmark This Page - C:\Program Files\CommonName\Toolbar\createbookmark.htm
O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm
O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm
O11 - Options group: [CommonName] CommonName

Restart your computer and delete

C:\WINNT\system32\Explorer.exe file.

Download Spybot S&D. Update SS&D via the "Online" tab. Search for and download all updates. Close all browser windows, hit "Check for problems". After scan hit "Fix selected problems".


----------



## sa1794 (Aug 3, 2003)

> _Originally posted by Top Banana:_
> *Scan with HijackThis, put a checkmark at and "Fix checked" the following entries. Close all windows except HijackThis before fixing.
> 
> O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Program Files\CommonName\Toolbar\CNBabe.dll
> ...


I did everything above. The only problem is that I'm not allowed to delete C:\WINNT\system32\Explorer.exe file. It says the file is being used by windows.


----------



## Top Banana (Nov 11, 2002)

Restart in Safe mode and delete C:\WINNT\system32\Explorer.exe file.


----------



## sa1794 (Aug 3, 2003)

> _Originally posted by Top Banana:_
> *Restart in Safe mode and delete C:\WINNT\system32\Explorer.exe file. *


I just tried to delete it in the safe mode. It still doesn't allow me to delete it.


----------



## seahorse321 (Aug 5, 2003)

I also got spybot.worm.gen. I deleted 3 files that mcafee found (TFTP1508, TFTP2548, and TFTP892). After deleting them my computer no long reboots itself. However, I am uncertain whether I removed everything I need to. I ran highjack this and saved the log. Can someone please look at the log and tell me if it looks normal? If something is still wrong, what should I do to fix it? Thank you.

Logfile of HijackThis v1.96.0
Scan saved at 12:45:58 PM, on 8/5/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

seahorse321

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards keeping you spyware free.


----------



## seahorse321 (Aug 5, 2003)

It caught several and fixed them. Thanks for your help. I appreciate it.


----------



## Flrman1 (Jul 26, 2002)

:up:


----------



## bunderhood (Aug 6, 2003)

can someone look at my log and tell me what I need to repair please?


----------



## bunderhood (Aug 6, 2003)

Logfile of HijackThis v1.96.0
Scan saved at 12:26:56 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\RVP\bpc.exe
C:\Program Files\Srng\Srng.exe
C:\WINDOWS\TVMD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\ClientMan\mscman.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\ClientMan\msckin.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\ClientMan\run\ause3.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\melissa\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ughh.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
O1 - Hosts: 216.40.250.77 easypic.com
O1 - Hosts: 216.40.250.77 google.com
O1 - Hosts: 216.40.250.77 pichunter.com
O1 - Hosts: 216.40.250.77 *****slot.com
O1 - Hosts: 216.40.250.77 sexocean.com
O1 - Hosts: 216.40.250.77 worldsex.com
O1 - Hosts: 216.40.250.77 www.easypic.com
O1 - Hosts: 216.40.250.77 www.google.com
O1 - Hosts: 216.40.250.77 www.pichunter.com
O1 - Hosts: 216.40.250.77 www.*****slot.com
O1 - Hosts: 216.40.250.77 www.sexocean.com
O1 - Hosts: 216.40.250.77 www.worldsex.com
O1 - Hosts: 64.135.204.60 top.darkcollection.com
O1 - Hosts: 64.135.204.60 www.cybernymphets.com
O1 - Hosts: 64.135.204.60 top.wild-nymphets.com
O1 - Hosts: 64.135.204.60 archive.play-lolita.com
O1 - Hosts: 64.135.204.60 duvx.com
O1 - Hosts: 64.135.204.60 top.play-lolita.com
O1 - Hosts: 64.135.204.60 www.500galleries.com
O1 - Hosts: 64.135.204.60 500galleries.com
O1 - Hosts: 64.135.204.60 www.exitforcash.com
O1 - Hosts: 64.135.204.60 lol.to
O1 - Hosts: 64.135.204.60 www.lol.to
O1 - Hosts: 64.135.204.60 lolitazone.com
O1 - Hosts: 64.135.204.60 www.lolitazone.com
O1 - Hosts: 64.135.204.60 www.smutserver.com
O1 - Hosts: 64.135.204.60 www2.smutserver.com
O1 - Hosts: 64.135.204.60 www10.smutserver.com
O1 - Hosts: 64.135.204.60 www13.smutserver.com
O1 - Hosts: 64.135.204.60 www21.smutserver.com
O1 - Hosts: 64.135.204.60 www22.smutserver.com
O1 - Hosts: 64.135.204.60 www.x-x-x-hosting.com
O1 - Hosts: 64.135.204.60 www.kinghost.com
O1 - Hosts: 64.135.204.60 www6.kinghost.com
O1 - Hosts: 64.135.204.60 www7.kinghost.com
O1 - Hosts: 64.135.204.60 www8.kinghost.com
O1 - Hosts: 64.135.204.60 www9.kinghost.com
O1 - Hosts: 64.135.204.60 www.blinghosting.com
O1 - Hosts: 64.135.204.60 www.xfreehosting.com
O1 - Hosts: 64.135.204.60 www.smuthosts.com
O1 - Hosts: 64.135.204.60 www.xxxvideohost.com
O1 - Hosts: 64.135.204.60 www.amateursgonebad.com
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dll
O2 - BHO: (no name) - {004B23E0-1E63-4ED6-BCAC-922BA26CF096} - (no file)
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - C:\Program Files\ClientMan\run\msvrfy804449fd.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINDOWS\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\Program Files\ClientMan\run\dnsrepa9c22ca5.dll
O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - C:\Program Files\ClientMan\run\urlcli50c9d9fa.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\elijah's converted music\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [WincognitoPopUpBlocker] C:\PROGRA~1\WINCOG~1\POPUPB~1\PopUpBlocker RunAtStartUp
O4 - HKLM\..\Run: [Super Pop Up Ad Killer] C:\Program Files\NET2SOFT\Super Pop Up Ad Killer\Super Pop Up Ad Killer.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/joanecumming/jlj.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19eb85928fd0347a7005/netzip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12


----------



## $teve (Oct 9, 2001)

welcome to T.S.G bunderhood 

you need to run an antivirus scan 1st because your infected.

http://housecall.trendmicro.com/

and you have an horrendous amount of spy and adware....im surprised your computer works at all.

go here:http://beam.to/spybotsd
download "spybot" check for and download any updates before you scan..whatever spybot finds its safe to delete(fix)

after that,re-boot and post another hijackthis logfile.


----------



## bunderhood (Aug 6, 2003)

I did a scan and it deleted all but one file...and I have used spybot recently...one of the infected files was actually called w32 spybot worm....does this help at all?


----------



## $teve (Oct 9, 2001)

post a 2nd logfile and lets see what horrors you have in there.
i still have your 1st log on my desktop so we can compare the two

and dont panic........you came to the right place


----------



## bunderhood (Aug 6, 2003)

Logfile of HijackThis v1.96.0
Scan saved at 1:10:03 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\uptodate.exe
C:\WINDOWS\rundll16.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\RVP\bpc.exe
C:\Program Files\Srng\Srng.exe
C:\WINDOWS\TVMD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\ClientMan\mscman.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\ClientMan\msckin.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\ClientMan\run\ause3.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\melissa\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ughh.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
O1 - Hosts: 216.40.250.77 easypic.com
O1 - Hosts: 216.40.250.77 google.com
O1 - Hosts: 216.40.250.77 pichunter.com
O1 - Hosts: 216.40.250.77 *****slot.com
O1 - Hosts: 216.40.250.77 sexocean.com
O1 - Hosts: 216.40.250.77 worldsex.com
O1 - Hosts: 216.40.250.77 www.easypic.com
O1 - Hosts: 216.40.250.77 www.google.com
O1 - Hosts: 216.40.250.77 www.pichunter.com
O1 - Hosts: 216.40.250.77 www.*****slot.com
O1 - Hosts: 216.40.250.77 www.sexocean.com
O1 - Hosts: 216.40.250.77 www.worldsex.com
O1 - Hosts: 64.135.204.60 top.darkcollection.com
O1 - Hosts: 64.135.204.60 www.cybernymphets.com
O1 - Hosts: 64.135.204.60 top.wild-nymphets.com
O1 - Hosts: 64.135.204.60 archive.play-lolita.com
O1 - Hosts: 64.135.204.60 duvx.com
O1 - Hosts: 64.135.204.60 top.play-lolita.com
O1 - Hosts: 64.135.204.60 www.500galleries.com
O1 - Hosts: 64.135.204.60 500galleries.com
O1 - Hosts: 64.135.204.60 www.exitforcash.com
O1 - Hosts: 64.135.204.60 lol.to
O1 - Hosts: 64.135.204.60 www.lol.to
O1 - Hosts: 64.135.204.60 lolitazone.com
O1 - Hosts: 64.135.204.60 www.lolitazone.com
O1 - Hosts: 64.135.204.60 www.smutserver.com
O1 - Hosts: 64.135.204.60 www2.smutserver.com
O1 - Hosts: 64.135.204.60 www10.smutserver.com
O1 - Hosts: 64.135.204.60 www13.smutserver.com
O1 - Hosts: 64.135.204.60 www21.smutserver.com
O1 - Hosts: 64.135.204.60 www22.smutserver.com
O1 - Hosts: 64.135.204.60 www.x-x-x-hosting.com
O1 - Hosts: 64.135.204.60 www.kinghost.com
O1 - Hosts: 64.135.204.60 www6.kinghost.com
O1 - Hosts: 64.135.204.60 www7.kinghost.com
O1 - Hosts: 64.135.204.60 www8.kinghost.com
O1 - Hosts: 64.135.204.60 www9.kinghost.com
O1 - Hosts: 64.135.204.60 www.blinghosting.com
O1 - Hosts: 64.135.204.60 www.xfreehosting.com
O1 - Hosts: 64.135.204.60 www.smuthosts.com
O1 - Hosts: 64.135.204.60 www.xxxvideohost.com
O1 - Hosts: 64.135.204.60 www.amateursgonebad.com
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dll
O2 - BHO: (no name) - {004B23E0-1E63-4ED6-BCAC-922BA26CF096} - (no file)
O2 - BHO: (no name) - {00A0A40C-F432-4C59-BA11-B25D142C7AB7} - C:\PROGRA~1\CLIENT~1\run\2IN188~1.DLL
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: (no name) - {166348F1-2C41-4C9F-86BB-EB2B8ADE030C} - C:\Program Files\ClientMan\run\msvrfy804449fd.dll
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\PROGRA~1\CLIENT~1\run\TRACKU~1.DLL
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINDOWS\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: (no name) - {96BE1D9A-9E54-4344-A27A-37C088D64FB4} - C:\Program Files\ClientMan\run\dnsrepa9c22ca5.dll
O2 - BHO: (no name) - {A097840A-61F8-4B89-8693-F68F641CC838} - C:\Program Files\ClientMan\run\urlcli50c9d9fa.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\elijah's converted music\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [WincognitoPopUpBlocker] C:\PROGRA~1\WINCOG~1\POPUPB~1\PopUpBlocker RunAtStartUp
O4 - HKLM\..\Run: [Super Pop Up Ad Killer] C:\Program Files\NET2SOFT\Super Pop Up Ad Killer\Super Pop Up Ad Killer.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ClientMan1] C:\Program Files\ClientMan\mscman.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/joanecumming/jlj.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19eb85928fd0347a7005/netzip/RdxIE601.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {AFDBB6D0-6B96-419C-8BC6-FF0B99368C0B} - http://www.totalvelocity.com/MemoryMeterbb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12


----------



## bunderhood (Aug 6, 2003)

should I still DL spybot?


----------



## bunderhood (Aug 6, 2003)

I used norton before I am trying the one you posted...will take a few minutes


----------



## $teve (Oct 9, 2001)

> _Originally posted by bunderhood:_
> *should I still DL spybot? *


yes.....definately run spybot..........it will take out a lot of the crap.

then post another log after the spybot scan and fix.......its easier to go through your H/T logfile if we can let spybot take out what it can.


----------



## bunderhood (Aug 6, 2003)

ADW Tenget .A was what the scan says...non cleanable...what should I do?


----------



## $teve (Oct 9, 2001)

> _Originally posted by bunderhood:_
> *ADW Tenget .A was what the scan says...non cleanable...what should I do? *


i think this is possibly a variant of the "igetnet" parasite and not a true virus.

run spybot......re-boot and post another hijackthis log


----------



## bunderhood (Aug 6, 2003)

Logfile of HijackThis v1.96.0
Scan saved at 1:53:35 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\TVMD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\melissa\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ughh.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
O1 - Hosts: 216.40.250.77 easypic.com
O1 - Hosts: 216.40.250.77 google.com
O1 - Hosts: 216.40.250.77 pichunter.com
O1 - Hosts: 216.40.250.77 *****slot.com
O1 - Hosts: 216.40.250.77 sexocean.com
O1 - Hosts: 216.40.250.77 worldsex.com
O1 - Hosts: 216.40.250.77 www.google.com
O1 - Hosts: 216.40.250.77 www.pichunter.com
O1 - Hosts: 216.40.250.77 www.*****slot.com
O1 - Hosts: 216.40.250.77 www.worldsex.com
O1 - Hosts: 64.135.204.60 top.darkcollection.com
O1 - Hosts: 64.135.204.60 www.cybernymphets.com
O1 - Hosts: 64.135.204.60 top.wild-nymphets.com
O1 - Hosts: 64.135.204.60 archive.play-lolita.com
O1 - Hosts: 64.135.204.60 duvx.com
O1 - Hosts: 64.135.204.60 top.play-lolita.com
O1 - Hosts: 64.135.204.60 www.500galleries.com
O1 - Hosts: 64.135.204.60 500galleries.com
O1 - Hosts: 64.135.204.60 www.exitforcash.com
O1 - Hosts: 64.135.204.60 lol.to
O1 - Hosts: 64.135.204.60 www.lol.to
O1 - Hosts: 64.135.204.60 lolitazone.com
O1 - Hosts: 64.135.204.60 www.lolitazone.com
O1 - Hosts: 64.135.204.60 www.smutserver.com
O1 - Hosts: 64.135.204.60 www2.smutserver.com
O1 - Hosts: 64.135.204.60 www10.smutserver.com
O1 - Hosts: 64.135.204.60 www13.smutserver.com
O1 - Hosts: 64.135.204.60 www21.smutserver.com
O1 - Hosts: 64.135.204.60 www22.smutserver.com
O1 - Hosts: 64.135.204.60 www.x-x-x-hosting.com
O1 - Hosts: 64.135.204.60 www.kinghost.com
O1 - Hosts: 64.135.204.60 www6.kinghost.com
O1 - Hosts: 64.135.204.60 www7.kinghost.com
O1 - Hosts: 64.135.204.60 www8.kinghost.com
O1 - Hosts: 64.135.204.60 www9.kinghost.com
O1 - Hosts: 64.135.204.60 www.blinghosting.com
O1 - Hosts: 64.135.204.60 www.xfreehosting.com
O1 - Hosts: 64.135.204.60 www.smuthosts.com
O1 - Hosts: 64.135.204.60 www.xxxvideohost.com
O1 - Hosts: 64.135.204.60 www.amateursgonebad.com
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dll
O2 - BHO: (no name) - {004B23E0-1E63-4ED6-BCAC-922BA26CF096} - (no file)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINDOWS\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\elijah's converted music\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [WincognitoPopUpBlocker] C:\PROGRA~1\WINCOG~1\POPUPB~1\PopUpBlocker RunAtStartUp
O4 - HKLM\..\Run: [Super Pop Up Ad Killer] C:\Program Files\NET2SOFT\Super Pop Up Ad Killer\Super Pop Up Ad Killer.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/joanecumming/jlj.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19eb85928fd0347a7005/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12


----------



## bunderhood (Aug 6, 2003)

ok I did both and rebooted...still looks the same


----------



## $teve (Oct 9, 2001)

ok......give me 5 minutes to look it over


----------



## $teve (Oct 9, 2001)

in hijackthis,put a checkmark against all these entries:
then close all browser windows and hit the "fix checked" button

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.allhyperlinks.com/redir?lang={SUB_RFC1766}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ughh.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adulthyperlinks.com/favorites/8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcyd.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcyd...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
O1 - Hosts: 216.40.250.77 easypic.com
O1 - Hosts: 216.40.250.77 google.com
O1 - Hosts: 216.40.250.77 pichunter.com
O1 - Hosts: 216.40.250.77 *****slot.com
O1 - Hosts: 216.40.250.77 sexocean.com
O1 - Hosts: 216.40.250.77 worldsex.com
O1 - Hosts: 216.40.250.77 www.google.com
O1 - Hosts: 216.40.250.77 www.pichunter.com
O1 - Hosts: 216.40.250.77 www.*****slot.com
O1 - Hosts: 216.40.250.77 www.worldsex.com
O1 - Hosts: 64.135.204.60 top.darkcollection.com
O1 - Hosts: 64.135.204.60 www.cybernymphets.com
O1 - Hosts: 64.135.204.60 top.wild-nymphets.com
O1 - Hosts: 64.135.204.60 archive.play-lolita.com
O1 - Hosts: 64.135.204.60 duvx.com
O1 - Hosts: 64.135.204.60 top.play-lolita.com
O1 - Hosts: 64.135.204.60 www.500galleries.com
O1 - Hosts: 64.135.204.60 500galleries.com
O1 - Hosts: 64.135.204.60 www.exitforcash.com
O1 - Hosts: 64.135.204.60 lol.to
O1 - Hosts: 64.135.204.60 www.lol.to
O1 - Hosts: 64.135.204.60 lolitazone.com
O1 - Hosts: 64.135.204.60 www.lolitazone.com
O1 - Hosts: 64.135.204.60 www.smutserver.com
O1 - Hosts: 64.135.204.60 www2.smutserver.com
O1 - Hosts: 64.135.204.60 www10.smutserver.com
O1 - Hosts: 64.135.204.60 www13.smutserver.com
O1 - Hosts: 64.135.204.60 www21.smutserver.com
O1 - Hosts: 64.135.204.60 www22.smutserver.com
O1 - Hosts: 64.135.204.60 www.x-x-x-hosting.com
O1 - Hosts: 64.135.204.60 www.kinghost.com
O1 - Hosts: 64.135.204.60 www6.kinghost.com
O1 - Hosts: 64.135.204.60 www7.kinghost.com
O1 - Hosts: 64.135.204.60 www8.kinghost.com
O1 - Hosts: 64.135.204.60 www9.kinghost.com
O1 - Hosts: 64.135.204.60 www.blinghosting.com
O1 - Hosts: 64.135.204.60 www.xfreehosting.com
O1 - Hosts: 64.135.204.60 www.smuthosts.com
O1 - Hosts: 64.135.204.60 www.xxxvideohost.com
O1 - Hosts: 64.135.204.60 www.amateursgonebad.com
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINDOWS\System32\emesx.dll
O2 - BHO: (no name) - {004B23E0-1E63-4ED6-BCAC-922BA26CF096} - (no file)
O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - C:\WINDOWS\System32\netpal.dll (file missing)
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll (file missing)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [TVMD] C:\WINDOWS\TVMD.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - Startup: iMesh.lnk = C:\Program Files\iMesh\Client\iMeshClient.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.netmails.com/members/joanecumming/jlj.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19eb85928fd034...ip/RdxIE601.cab

if this is not your start page fix this as well:
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

re-boot into safe mode.....find and delete the following:
C:\Program Files\iMesh [entire folder]
C: \Program Files\Srng [entire folder]

now post another H/T logfile
and keep smiling


----------



## bunderhood (Aug 6, 2003)

how do I restart in safe mode...and how is the best way to find those folder?


----------



## $teve (Oct 9, 2001)

tap the f8 key as windows starts(after the beep)
you will get the boot menu......choose "safe mode"

then double-click my "computer"/your C: drive/program files and find the 2 files.
dont worry if they are no longer around,H/T may have deleted them already.

imesh is full of spyware..............kazaalite is the best spyware free alternative.


----------



## $teve (Oct 9, 2001)

The colors are only 16-bit and it all looks too big becuase Windows is only using 
the generic 16-bit video driver., but don't panic, it should all go back to normal 
when you re-boot into standard mode.


----------



## bunderhood (Aug 6, 2003)

Logfile of HijackThis v1.96.0
Scan saved at 2:37:18 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\elijah's converted music\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\Documents and Settings\melissa\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\elijah's converted music\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [WincognitoPopUpBlocker] C:\PROGRA~1\WINCOG~1\POPUPB~1\PopUpBlocker RunAtStartUp
O4 - HKLM\..\Run: [Super Pop Up Ad Killer] C:\Program Files\NET2SOFT\Super Pop Up Ad Killer\Super Pop Up Ad Killer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll


----------



## bunderhood (Aug 6, 2003)

this look ok?


----------



## bunderhood (Aug 6, 2003)

well thanks for all your help...I am about an hour late for work so I will check to see if you replied when I get home!


----------



## $teve (Oct 9, 2001)

> _Originally posted by bunderhood:_
> *this look ok? *


absolutely squeeky clean

i think you may notice a little speed hit without all that clutter.

good luck to you


----------



## PUJ (Aug 6, 2003)

Hello.

I also have the virus on the msconfig32.exe system file. Already did de Microtrend scan and found nothing. Here is the Hijack this log:

Logfile of HijackThis v1.96.0
Scan saved at 6:49:36 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\tvicon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Giovanni\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSView.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D14641FA-445B-448E-9994-209F7AF15641} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TvIcon] tvicon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: webdav.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37834.7144097222
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

Thanks for the Help.


----------



## Flrman1 (Jul 26, 2002)

PUJ

Welcome to TSG!

First off you've been hacked. See here http://www.lurhq.com/webdav.html

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL

O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSView.DLL

O2 - BHO: (no name) - {08351227-6472-43BD-8A40-D9221FF1C4CE} - C:\WINDOWS\Downloaded Program Files\SbCIe027.dll

O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)

O2 - BHO: (no name) - {D14641FA-445B-448E-9994-209F7AF15641} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Sentry] C:\WINDOWS\Sentry.exe

O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE

O4 - Global Startup: webdav.exe

O9 - Extra button: SideStep (HKLM)

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://spystream.babenet.com/cabs/videox.cab

O16 - DPF: {C72242D0-3AB5-453D-842C-8A3C9AC0838D} - http://download.sidestep.com/get/k00719/sb027.cab

Restart your computer in safe mode and delete:
The C:\WINDOWS\Sentry.exe file
The C:\WINDOWS\System32\MSCONFIG32.EXE file 
The C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Post another HT log when finished.


----------



## sa1794 (Aug 3, 2003)

My infected file is c: \winnt\system32\explorer.exe

I use Norton AV realtime protection. But somehow this worm still got through. But Norton AV can't clean it because the access is denied.

I couldn't delete this file because it's being used by windows. I tried to delete it in the safe mode, it didn't work either.

Can anyone pleeeeeese help me out here?

Here's my HJ log:

Logfile of HijackThis v1.96.0
Scan saved at 6:33:19, on 2003-8-6
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NAV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\cba\pds.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\NAV\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\system32\ams_ii\hndlrsvc.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\system32\Explorer.exe
C:\WINNT\EXPLORER.EXE
C:\WINNT\loadqm.exe
C:\PROGRA~1\NAV\vptray.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WeatherCast\Weather.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Documents and Settings\Shaun Au\desktop\HijackThis.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NAV\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Winsock2 driver] EXPLORER.EXE
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Global Startup: ntuser.pol
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {BA0F088C-72C1-475A-92F8-42391DEF6961} (BlueskyAudio Class) - http://202.96.140.88/vchat/blueskyvoice.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4282/mcfscan.cab


----------



## pfco (Aug 7, 2003)

Can someone look mine over to see how it looks?
I really appreciate any help....

Logfile of HijackThis v1.96.0
Scan saved at 9:53:58 PM, on 8/6/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\RAM IDLE\RAMIDLE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\ATI\ATIDESK\ATISCHED.EXE
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MIRC\MIRC.EXE
C:\WINDOWS\NETDDE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\A5\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pinkfloyd-co.com/mast_idx.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-explorer.net/search_page.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = gopher= :1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\PROGRAM FILES\EARTHLINK POP-UP BLOCKER\PNEL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\RAM Idle\RAMIdle.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [RNBOStart] C:\WINDOWS\SYSTEM\RNBOSENT\SENTSTRT.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [LoadBlackD] "C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWD3DSND.EXE
O4 - Startup: ATISched.lnk = C:\ati\ATIDESK\atisched.exe
O4 - Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WebClip to MySpace - C:\WINDOWS\SYSTEM\WebClipL.htm
O8 - Extra context menu item: &NeoTrace It! - C:\Program Files\NeoTracePro\NTXcontext.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.70-DELEON.DLL/cmtrans.html
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .exe: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .m3u: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {84435880-E516-11D3-B402-009027AF4895} (WebInstall Class) - http://www.myspace.com/webinstaller/Installer.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Template Gallery) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.es/activescan/as/asinst.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLcd.CAB
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1500/www.contentwatch.com/audit/includes/ContentAuditControl_v3.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (RavOnline Control) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {637BB540-6ABA-11D4-901D-00D0090CB3BC} (FMClass Class) - http://www.flashants.com/codebase/fmplayer.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55276} (xload Class) - http://217.160.140.67/download/xloader10.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37601.1764583333
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2159a02f2f4ce93da206/netzip/RdxIE6.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kats-korner.com/wfplayer/tdserver.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.4everyone.com/searchbar/Install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) - 
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.refurbdepot.com/CFIDE/classes/CFJava.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4280/mcfscan.cab

Thanks alot!!

Joe


----------



## DeadCityCent (Aug 7, 2003)

Hello. I am new here and have a problem very similar to a few others in this thread. Norton detected the w32.spybot.worm in my C:\WINDOWS\system32\IEXPLORE.EXE file. Because it's being used by windows, I can't delete it. Norton couldn't. So I ran hijack. This is my hj log. I appreciate all the help I can get. 
Logfile of HijackThis v1.96.0
Scan saved at 11:12:49 PM, on 8/6/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\BBStore\DSS\dssagent.exe
C:\Program Files\Save\Save.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Broderbund\The Print Shop\PS11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM95\aim.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = dword:00000001
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googlenav0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googlenav0.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBStore\DSS\dssagent.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopupDestroyer] C:\Program Files\Popup Eraser\Popup Eraser.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleNav0.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleNav0.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleNav0.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleNav0.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleNav0.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0837663e2b7afb694400/netzip/RdxIE601.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37693.3793055556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab


----------



## agentcooper (Aug 7, 2003)

Hi, I just found this forum because it looks like I'm having some of the same trouble you guys are. I hope I can get help here. I tried some of the things you guys have mentioned already. I downloaded and ran hijack this and removed a few files, like the msconfig.exe. I restarted in safe mode and it let me go to RUN and enter msconfig. I somehow stopped the Norton Antivirus from popping up saying I have a Spybot worm, but now I'm back in regular mode and when I enter anything under RUN, it still won't do anything. It will just close. I ran a check under hijack this and this is what I have now:

Logfile of HijackThis v1.96.0
Scan saved at 10:41:11 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Common Files\Symantec Shared\Nmain.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - (no file)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37820.2698032407
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://www.pulse3d.com/players/english/5.2/win/PulsePlayer5.2AxWin.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C197269-0BCD-49FB-BB50-99C6AA636A24}: NameServer = 205.188.197.4

Any help you guys could give me would be greatly appreciated.

thanks,

Curt


----------



## ehurdle (Aug 7, 2003)

Hello.
I know you're tired of hearing this, but I am also infected by this worm. It is located here:

C;\Documents and Settings\ehurdle\Desktop\wincfg.scr

Here is my Hijack information:
============
Logfile of HijackThis v1.96.0
Scan saved at 12:19:20 AM, on 8/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\NORTON~3\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\npssvc.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\POPROXY.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\System32\WINCFG.SCR
C:\PROGRA~1\NORTON~1\NORTON~3\alertsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\ND Tools\Search Utility\cdsutil.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\ehurdle\Local Settings\Temp\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\AIM95\aim.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wral.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NORTON~1\NORTON~3\npscheck.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton Antivirus NT\POPROXY.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~3\defalert.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winsock2 driver] WINCFG.SCR
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton SystemWorks\Norton Antivirus NT\NAVAPW32.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.support.fastaccess.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.30/Hiwire.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/231c35800e2d1b0f3303/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37702.3403819444
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/4/download/pdpplugin_5094_bundle7v1p10.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE1765AA-7CBA-48CD-9FD6-CD951A624CDE}: NameServer = 205.152.244.252 205.152.37.254

========
Thanks
Eferem Hurdle


----------



## SuPeR DaViD (Aug 7, 2003)

Norton just found this virus on my computer too. It located the W32.Spybot.Worm in "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\webdav.exe". It is unable to repair or access the file. I quarantined the file for now because I am unsure of what action I should take at the moment. Before Norton found this virus the following things happened to my computer:

1) Was repeatedly rebooting (this has stopped now)
2) I am unable to open regedit or the task manager (they stay open for less than a second)
3) New files in the folder that the virus was located (don't know if they are good or bad): TFTP1028, TFTP1408, and TFTP3328.

I'm just following everyone else and posting a log from HijackThis. Could you guys help me out and tell me if I have anything that needs to be fixed?

Logfile of HijackThis v1.96.0
Scan saved at 10:50:49 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Microsoft Money\System\reminder.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Microsoft Office\OSA.EXE
C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\System32\mdm.exe
C:\Documents and Settings\user1\Desktop\David + Chris Games\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www2.mybc.com/home_page.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Global Startup: TFTP1028
O4 - Global Startup: TFTP1408
O4 - Global Startup: TFTP3328
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Free Surfer (HKLM)
O9 - Extra 'Tools' menuitem: Free Surfer (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37593.5798148148
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E9041F85-3C18-4A7E-A29D-E24F84B79BF1} - http://216.133.83.162/downloads/UGO20.exe
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://webmap.city.abbotsford.bc.ca/webmap/AppRequirements/Acgm.cab


----------



## PUJ (Aug 6, 2003)

Here is the new log. Please let me know if everything looks good. Thanks for your help!

Logfile of HijackThis v1.96.0
Scan saved at 2:41:24 AM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\tvicon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\SXTVFJLOVR.EXE
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Giovanni\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TvIcon] tvicon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [HPLaptopGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HPLaptop\Games\ActiveMenu.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [MSConfig] SXTVFJLOVR.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/pavilion/e-center
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37834.7144097222
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab


----------



## $teve (Oct 9, 2001)

sa1794............put a checkmark next to this item:
O4 - HKLM\..\Run: [Winsock2 driver] EXPLORER.EXE
close all open browser/explorer windows and "fix checked"
re-boot to let the change take effect.


----------



## urzah (Aug 7, 2003)

Hello, 
I am most certainly new to this site so forgive any mistakes please. First, my copy of NAV says that it has detected the W32.Spybot.Worm virus in the following location:
C:\WINDOWS\system32\msconfig32.exe

I have tried nearly everything to get rid of this pest. I can't access my registry bcause the register editor will only stay open for about a second before shutting down, the same as with my task manager.

Please help me if you can. Also, I can't find the backup utility on my computer (Windows XP Home Edition). It's not were its supposed to be (Accessories->System Tools)

Here are the hijackthis.log and startuplist files:

Logfile of HijackThis v1.96.0
Scan saved at 11:30:30 PM, on 8/6/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Johnathon Sample\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\OneTouchMon.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com/start.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/contr...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B357A67-3429-4BF6-A543-AEC30D33D53B}: NameServer = 67.65.240.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B357A67-3429-4BF6-A543-AEC30D33D53B}: NameServer = 67.65.240.4

StartupList report, 8/6/2003, 11:32:04 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Johnathon Sample\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ZipToA.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Johnathon Sample\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Iomega Startup Options = C:\Program Files\Iomega\Common\ImgStart.exe
Iomega Drive Icons = C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
OneTouch Monitor = C:\PROGRA~1\VISION~1\OneTouchMon.exe
CXMon = "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
MSConfig = MSCONFIG32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

MSConfig = MSCONFIG32.EXE

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\MARINE~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Microsoft Money\System\mnyviewer.dll - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/...director/sw.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.25.152/code/PWActiveXImgCtl.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/...ash/swflash.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://sc.communities.msn.com/contr...t/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,293 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Please tell me what to do!

Help me Obi Wan Kenobi, you're my only hope!


----------



## Top Banana (Nov 11, 2002)

Scan with HijackThis, put a checkmark at and "Fix checked" the following entries.

O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB

Restart your computer and delete

C:\WINDOWS\System32\MSCONFIG32.EXE file.


----------



## $teve (Oct 9, 2001)

hi joe [PFCO]......and welcome to T.S.G

just a bit of spring cleaning is all.

check these entries off....close all open windows and "fix checked"

R3 - Default URLSearchHook is missing
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55276} (xload Class) - http://217.160.140.67/download/xloader10.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2159a02f2f4ce93da206/netzip/RdxIE6.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kats-korner.com/wfplayer/tdserver.cab


----------



## $teve (Oct 9, 2001)

DeadCityCent....welcome to T.S.G

1st thing go to add/remove programs and remove "new.net"(newdotnet)

then,check off these entries in hijackthis.......close all open IE/OE explorer windows and "fix checked"

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBStore\DSS\dssagent.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/0837663e2b7afb...ip/RdxIE601.cab
http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

re-boot.......... check for and delete these if they are still around:
C:\Program Files\Save {entire folder]
C:\Program Files\NewDotNet


----------



## $teve (Oct 9, 2001)

agentcooper,welcome

check the following.....close all windows and "fix checked"

O2 - BHO: (no name) - {730F2451-A3FE-4A72-938C-FC8A74F15978} - (no file)
O2 - BHO: (no name) - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab

re-boot,find and delete:C:\WINDOWS\UpdReg.EXE
C:\WINDOWS\System32\MSCONFIG32.EXE

http://housecall.trendmicro.com/
and do an on-line virus scan.


----------



## $teve (Oct 9, 2001)

ehurdle.....welcome to T.S.G

check these in H/T...close all windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O4 - HKLM\..\Run: [Winsock2 driver] WINCFG.SCR
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/231c35800e2d1b...ip/RdxIE601.cab

Now restart your computer, and delete the C:\WINNT\system32\WINCFG.SCR file

take a trip here:http://housecall.trendmicro.com/
and do an on-line virus scan.


----------



## $teve (Oct 9, 2001)

SuPeRDaViD welcome to T.S.G

1st go to add/remove progs and see if there is en entry"E2Give browser add on" if its there uninstall it.

next check off these in H/T....close all browser windows and "fix checked"

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O2 - BHO: (no name) - {6ACD11BD-4CA0-4283-A8D8-872B9BA289B6} - (no file)
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: TFTP1028
O4 - Global Startup: TFTP1408
O4 - Global Startup: TFTP3328
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

re-boot,find and delete:
C:\Program Files\GetRight [entire folder]
C:\WINDOWS\System32\MSCONFIG32.EXE [file]

take a trip here:http://housecall.trendmicro.com/
and do an on-line virus scan.


----------



## tpb (Feb 27, 2001)

SuPeRDaViD

Boot into safe mode and click Start > Run > _type_ *command* and click OK. Type the following and hit enter after each.

*cd\
cd \windows
copy regedit.exe regedit.com 
start regedit.com*

Click the + next to the following keys.

*HKEY_CURRENT_USER
Software
Microsoft
Windows
Current Version*

Scroll down and right click on the *RunOnce* folder and click delete. Scroll up and click the - next to HKEY_CURRENT_USER.

Click the + next to the following keys.

*HKEY_LOCAL_MACHINE
Software
Microsoft
Windows
Current Version*

Scroll down and click on the *Run* folder. In the right hand window, right click on *MSCONFIG32.EXE* and click delete.
Close regedit.

Find MSCONFIG32.EXE and delete it.

Reboot to Windows. Then go to http://www.dougknox.com. In the left pane click on 'WinXP fixes'. Then in the main window click on 'File association fixes'. Download and run the Exe file association fix.


----------



## $teve (Oct 9, 2001)

puj....hello and welcome.

check off these entries.....close all windows and "fix"
[i dunno what this is,but it looks highly suspicious.......do you recognise it?] 
O4 - HKLM\..\Run: [MSConfig] SXTVFJLOVR.EXE

O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab

like i said....if you know what SXTVFJLOVR.EXE is,and its legit,then leave it.......


----------



## DeadCityCent (Aug 7, 2003)

Hello, thanks for the help. According to Norton, I still have the virus in C:\WINDOWS\system32\IEXPLORE.EXE. I ran hijack again with the newly fixed/deleted items and this is my log.

Logfile of HijackThis v1.96.0
Scan saved at 12:11:56 PM, on 8/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\System32\IEXPLORE.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = dword:00000001
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googlenav0.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PopupDestroyer] C:\Program Files\Popup Eraser\Popup Eraser.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] ???????\WkDetect.exe
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GoogleNav0.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GoogleNav0.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GoogleNav0.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GoogleNav0.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleNav0.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab


----------



## WXgeek (Aug 7, 2003)

I also have a problem. Norton found the w32.spybot.worm at msconfig32.exe. I did the hijackthis scan. This is what it came up with:

Logfile of HijackThis v1.96.0
Scan saved at 12:17:05 PM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [OAKSTART] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKSTART.EXE
O4 - HKLM\..\Run: [OAKTASK] C:\PROGRA~1\OAKTEC~1\OAKSIM~1\OAKTASK.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01965e774d3850805c06/netzip/RdxIE601.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

I'd appreciate any help you can give me with this.


----------



## bunderhood (Aug 6, 2003)

ok...so $teve checked out my log yesterday...and everything seemed fine, but this morning, that Norton alert popped up again that said W32 Spybot worm....and I had a ton of those "message alert" popups....$teve or someone can you help me?


----------



## bunderhood (Aug 6, 2003)

Logfile of HijackThis v1.96.0
Scan saved at 10:41:59 AM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\melissa\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,2,0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\elijah's converted music\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmdprovidersbc] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\Run: [WincognitoPopUpBlocker] C:\PROGRA~1\WINCOG~1\POPUPB~1\PopUpBlocker RunAtStartUp
O4 - HKLM\..\Run: [Super Pop Up Ad Killer] C:\Program Files\NET2SOFT\Super Pop Up Ad Killer\Super Pop Up Ad Killer.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpga: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12


----------



## $teve (Oct 9, 2001)

DeadCityCent...

did we miss this one last night or did i fail to say delete the file?
check and fix with H/T.
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE

Now restart your computer, and delete the C:\WINDOWS\system32\IEXPLORE.EXE file

(MAKE SURE YOU GET THE EXACT PATH TO THIS FILE........C:\WINDOWS\SYSTEM32\IEXPLORER.EXE


----------



## $teve (Oct 9, 2001)

bunderhood......i cant really see anything in your logfile but i think we can safely "fix" these two.
O17 - HKLM\System\CCS\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{6917EE95-20C8-455A-BE7C-8CC42D8DCBF9}: NameServer = 63.203.35.55 206.13.28.12

which popups are you refering to? and where does norton say the infected file is?


----------



## bunderhood (Aug 6, 2003)

the popups look like microsoft alerts, but they have ads in them...this is the virus: Date: 8/7/2003, Time: 11:39:12, melissa on BUNDERHOOD
The file C:\WINDOWS\system32\msconfig32.exe is infected with the W32.Spybot.Worm virus.
The file was quarantined.


----------



## $teve (Oct 9, 2001)

ok.........re-boot into safe mode(tap f8 key at the post beep)

and delete C:\WINDOWS\System32\msconfig32.exe
double check to make sure you get the exact file.


----------



## $teve (Oct 9, 2001)

as for the popups...................do they look like this?


----------



## bunderhood (Aug 6, 2003)

exactly like that


----------



## bunderhood (Aug 6, 2003)

ok...so I did what you told me...except msconfig32.exe was not there...could norton have deleted it when I quarantined?


----------



## $teve (Oct 9, 2001)

WXgeek.....welcome to T.S.G

go to add/remove programs and delete "newdotnet"

re-boot and run H/T again.

check the following......close all browser windows and "fix checked"

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - 
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/01965e774d3850...ip/RdxIE601.cab

re-boot find and delete:C:\WINDOWS\System32\msconfig32


----------



## $teve (Oct 9, 2001)

it may have been quarantined by norton.

as for your popups.

In Control Panel, go to Administrative Tools. 
Once inside Administrative Tools...... go to Services. 
In Services...... scroll down some until you see "Messenger" - you'll want to right-click on that and hit Properties. 
Before you do anything else in that box, go to the Dependencies tab. It will take a few seconds....... but verify that nothing currently installed requires that service to run. Any dependencies for other programs will be in the bottom...... ignore the top pane. 
Chances are you won't have any dependencies....... if this is indeed the case....... your next step will be to go to the General tab. 
First, stop the service by clicking "Stop." 
Give Windows a few seconds to shut down the service. 
Then, in the dropdown list labeled "Startup type," select the Disabled option. 
Click OK.....re-boot and you should have no more popups.


edit:this has nothing whatsoever to do with msn messenger service......this is just an internal networking messenger.


----------



## theheidis (Aug 7, 2003)

Hi. Just registered. I have Win XP home, and just yesterday NAV detected the W32.SPYBOT.WORM virus in the MSCONFIG32.EXE which it cannot fix. 

Here's my problems from the past week...

First, I had the RPC problem where a message pops up at startup (cannot open TFTP____ which is a 0 byte file?) and I've had a few random RPC shutdown messages, where the computer restarts in 1 minute, always after midnight. (happened 2 nights in a row, hasn't happened again I don't know if it has anything to do with the fact that I turned on the WINXP firewall or not)

After that happened, I installed all critical updates from microsoft. 

What can I do? I'm frightened by some of the things people say to try, because with my luck I'll delete something wrong and mess everything up. I probably need step by step instructions, so if anyone has the patience to deal with me, I'd really appreciatel it. 

Anyway, I did look at Symatec's documentation on the removal of this. When I tried to do a run/regedit - it comes up for a second and then disappears....I've read other people have this problem too...and starting in safe mode is the answer...but again, this scares me... I've also read about that hijack program...should I install and run that so you guys can help me better? 

Please help?  I think I've been hacked...


----------



## KMInfinity (Aug 7, 2003)

I have tried all the steps recommended by Norton, but as others ahve noted, Norton cannot delete as called for in step three of their directions. So the worm still exists.

The worm is in c:\WINDOWS\system31\msconfig32.exe and I see it on the log. But I've been warned not to delete that file or my comp woun't be able to startup on reboot. True? I've already tried to delete it BWO My Computer and even using the command keys, but access is denied. One fairly knowledgeable friend says I'll have to wipe the HD and reload every siongle thing...  Guess I'm here hoping that's not true.)

I did download Hijack This and here's my log :

Logfile of HijackThis v1.96.0
Scan saved at 4:10:08 PM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Save\Save.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Karen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.themcnews.com/cgi-bin/ik...cgi/AppLogic+mobmainmsgvw=INBOXMN382DELIM1003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.94-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.94-big.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/112ddaae1dd925fcf021/netzip/RdxIE2.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37305.4258912037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FC327B3F-377B-4CB7-8B61-27CD69816BC3} - http://www.clock-sync.com/ClockSyncAutoSYNC0009.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FF749229-368B-477E-AF7C-8B3A3BF0847C}: NameServer = 151.201.0.39 151.201.0.38


----------



## $teve (Oct 9, 2001)

theheidis.welcome to T.S.G

go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## hockeyguy (Aug 7, 2003)

Hi ... joined the w32.spybot virus class of 2003 ... yikes. New to here and have read some great advice ... and wondered if someone could have a peek at my Hijack log. Thanks so much.

Logfile of HijackThis v1.96.0
Scan saved at 4:42:41 PM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\WINDOWS\System32\Smtray.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\System32\qttask.exe
C:\WINDOWS\System32\pctspk.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\WXPUPDATE.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CompuServe 7.0a\cstray.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Common Files\Symantec Shared\NMAIN.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\navw32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~3\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~3\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Winsucks8 driver] WXPUPDATE.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\quickenw\billmind.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0a\cstray.exe
O4 - Global Startup: explorerxp.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\quickenw\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\quickenw\QWDLLS.EXE
O4 - Global Startup: RealDownload Plus.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: CUseeMe Conferencing Companion (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/03c100ca95cfcab33500/netzip/RdxIE2.cab
O16 - DPF: {8C285F85-0DBD-11D3-8B37-00A02459FA0F} (CuWeb CuWebConf) - http://ic2.cuseeme.com/packages/cuweb.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37417.6140972222
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/ym/yiebio5_0_2_1.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://sea2fd.sea2.hotmail.msn.com/activex/HMAtchmt.ocx


----------



## $teve (Oct 9, 2001)

KMInfinity.......check and "fix" the following:

O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/112ddaae1dd925...tzip/RdxIE2.cab

re-boot,find and delete C:\WINDOWS\system32\msconfig32.exe
C:\program files\save {folder]


----------



## $teve (Oct 9, 2001)

hockeyguy..........welcome

before you do anything can you zip and email me a copy of this one:WXPUPDATE.EXE [email protected]

check and "fix" these entries:

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\System32\nzdd0.dll
O4 - HKLM\..\Run: [Winsucks8 driver] WXPUPDATE.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/03c100ca95cfca...tzip/RdxIE2.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Sha...c/bin/cabsa.cab

re-boot find and delete:C:\WINDOWS\system32\msconfig32.exe


----------



## hockeyguy (Aug 7, 2003)

Thanks Steve I will do that ... look for it from sunrise4u


----------



## $teve (Oct 9, 2001)

:up:


----------



## hockeyguy (Aug 7, 2003)

Steve ... wxpupdate.exe can't be found ... also I deleted msconfig32.exe just before I wrote


----------



## $teve (Oct 9, 2001)

look in c:\windows\system32 folder
set IE to show all folders ...in windows explorer tools\view\folder option\view tab....check the "show hidden files and folders"option


----------



## hockeyguy (Aug 7, 2003)

thanks ... on it's way


----------



## $teve (Oct 9, 2001)

got it :up:


----------



## theheidis (Aug 7, 2003)

I'm back finally....

Here's my log:

Logfile of HijackThis v1.96.0
Scan saved at 6:33:53 PM, on 8/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Creative\News\NewsUpd.EXE
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\ipod\bin\iPodManager.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
D:\ipod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\System32\BhoDshop.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [DiscoverDeskshop] C:\Program Files\Discover Deskshop\Deskshop.exe /dontopenmycards
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iPodManager] D:\ipod\bin\iPodManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: TFTP2608
O4 - Global Startup: TFTP2612
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Deskshop (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1568be841425cbb9ef05/netzip/RdxIE2.cab
O16 - DPF: {61A7208D-F61E-4A04-BB36-E10EFF6DDD76} (SndRec Control) - http://www.letsmeetup.com/sound/websndrec.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37838.5182175926
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DEDA29CA-3653-456E-B4C9-63A5D85D35D6} (AXVidCap Control) - http://www.letsmeetup.com/vfwencoder/AXVidCap.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/photo/upload/XUpload.ocx
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab

I recognize these two as the new problem files that "can't open" at startup...
O4 - Global Startup: TFTP2608
O4 - Global Startup: TFTP2612

What should I do?


----------



## buckaroo (Mar 25, 2001)

theheidis, close your browser and have HJT fix the following, then reboot.

O4 - Global Startup: TFTP2608
O4 - Global Startup: TFTP2612

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/1568be841425cb...tzip/RdxIE2.cab

O16 - DPF: {61A7208D-F61E-4A04-BB36-E10EFF6DDD76} (SndRec Control) - http://www.letsmeetup.com/sound/websndrec.cab

O16 - DPF: {DEDA29CA-3653-456E-B4C9-63A5D85D35D6} (AXVidCap Control) - http://www.letsmeetup.com/vfwencoder/AXVidCap.cab


----------



## Patollo (Aug 8, 2003)

Hi there, could someone please take a look at my HJT log and throw me some suggestions??

Logfile of HijackThis v1.96.0
Scan saved at 5:24:59 PM, on 07/08/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\System32\Grxp4exe.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Jetsuite\DLLCMD32.EXE
C:\Program Files\Jetsuite\JETSTAT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\dllcache\msngr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\crypserv.exe
c:\Program Files\Jetsuite\jsdaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\dllcache\msngr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Ken\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.search-explorer.net/search_page.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-explorer.net/search_page.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.search-explorer.net/search_page.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Program Files\CommonName\Toolbar\CNBabe.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Gravis Xperience Driver Support] Grxp4exe.exe /init
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [mload] C:\WINDOWS\System32\dllcache\lxmstart.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: DllCmd32.lnk = C:\Program Files\Jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\Program Files\Jetsuite\JETSTAT.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Power Search - res://C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll//iemenu
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: HuntBar (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3717DF55-0396-463D-98B7-647C7DC6898A} - http://tb-static.adpowerzone.com/mtb/toolbar.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - http://www.trafficsyndicate.com/TB/Cabs/T_64/toolbar_new.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37651.5985416667
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://php.offshoreclicks.com/dialup_files/99950104.cab
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4283/mcfscan.cab


----------



## theheidis (Aug 7, 2003)

buckaroo - I need more help...

I checked those five, but it couldn't fix the first two, because they were "in use".

What should I do?

I ran another scan, here it is:

Logfile of HijackThis v1.96.0
Scan saved at 7:33:13 PM, on 8/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\ipod\bin\iPodManager.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
D:\ipod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPHipm09.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\System32\BhoDshop.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [DiscoverDeskshop] C:\Program Files\Discover Deskshop\Deskshop.exe /dontopenmycards
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iPodManager] D:\ipod\bin\iPodManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: TFTP2608
O4 - Global Startup: TFTP2612
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Deskshop (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37838.5182175926
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/photo/upload/XUpload.ocx
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab


----------



## ozooha (Aug 8, 2003)

I have been infected with W32.Spybot.worm and below is the logfile generated by Hijack...is there anything i need to delete?
Thank you for your time and effort.
Logfile of HijackThis v1.96.0
Scan saved at 8:48:07 PM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HiJack\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rediff.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\msin.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Webster Toolbar - {9E1128F1-53FA-11d5-8490-0048548030CA} - C:\WINDOWS\Downloaded Program Files\m-wtoolbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.94-big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Merriam-Webster - {9E1128F1-53FA-11D5-8490-0048548030CA} - C:\WINDOWS\Downloaded Program Files\m-wtoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.94-big.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [WinSetup] C:\WINDOWS\System32\msin.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: b0rg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.94-big.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Merriam-Webster (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/277db830fd69648cb722/netzip/RdxIE2.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.54-deleon/GoogleNav.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9BB641DB-045B-42B4-BAE2-CBAAD66B0CC4} (Spotlife Composer) - http://yahoo.spotlife.net/install/composer/1.3.0.219/SLCmpser.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37565.8280787037
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.abacast.com/download/files/Abasetup.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (YBIOCtrl Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4022b.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw15fd.law15.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F798683C-FE05-436C-B0FF-35B9122E9787} - http://www.m-w.com/tools/toolbar/cabs/m-w.cab


----------



## $teve (Oct 9, 2001)

patollo.....welcome to T.S.G
check these entries.....close all browser windows and "fix checked"

O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\Program Files\CommonName\Toolbar\CNBabe.dll (file missing)
O3 - Toolbar: (no name) - {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - (no file)
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [mload] C:\WINDOWS\System32\dllcache\lxmstart.exe
O9 - Extra button: HuntBar (HKLM)
O16 - DPF: {3717DF55-0396-463D-98B7-647C7DC6898A} - http://tb-static.adpowerzone.com/mtb/toolbar.cab
O16 - DPF: {8A05273A-2EA5-42DE-AA75-59EA7D9D50D7} - http://www.trafficsyndicate.com/TB/...toolbar_new.cab
O16 - DPF: {A27CFCAE-9351-4D74-BFFC-21EB19693D8C} - http://www.xupiter.com/search2/inst...olbarLoader.cab
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://php.offshoreclicks.com/dialup_files/99950104.cab
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab

re-boot,find and delete:
c:\windows\system32\MSCONFIG32.EXE


----------



## KMInfinity (Aug 7, 2003)

Hi $teve, and thanks for all your help so far......

here's what you had me do :


> KMInfinity.......check and "fix" the following:
> 
> O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
> O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
> ...


I used Hijack This and "fixed" the items listed. On a second scan they don't appear.

Then I rebooted, and found the two C:\ items but still could not delete them. A scan with Norton shows the worm is still in the
C:\WINDOWS\system32\msconfig32.exe
file.

Any other suggestions?

Thanks a bunch...:up:


----------



## Flrman1 (Jul 26, 2002)

KMInfinity

You will have to boot into safe mode to delete the C:\WINDOWS\system32\msconfig32.exe

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.


----------



## theheidis (Aug 7, 2003)

Ok 3rd post. PLEASE HELP 

HJT cannot delete these 2 files because they are in use:

O4 - Global Startup: TFTP2608
O4 - Global Startup: TFTP2612

So it said to use task manager to end them, and then HJT to delete them. BUT!!! I cannot use task manager because it disappears right away - (ctl + alt + del) it pops up and then goes away just like when I do a run/regedit (virus!?)

I also can't start in safe mode because when I do a run/msconfig it ALSO disappears right away, so I can't restart in safe mode.

What can I do????


----------



## WXgeek (Aug 7, 2003)

Okay, thanks a lot for the help so far. I tried to delete MSconfig32 but I didn't have access to it. Do I try it again in safe mode? Also, isn't this an important file to be deleting?


----------



## Flrman1 (Jul 26, 2002)

theheidis and WXgeek 

Restart your computer in safe mode to delete the files. 

theheidis you don't have to use mcconfig to get into safe mode. Restart your computer and when the very first screen appears begin tapping the F8 key repeatedly until the boot menu screen appears. Use the arrow keys to select safe mode and press enter.


----------



## mommyto2 (Aug 8, 2003)

Guys I am so tired. I just got the message this morning regarding a virus on my computer. I have tried everything that I can think of, I get the virus alert c:\windows\system32\msconfig32.exe. It said it deleted all but one and the last one could not be repaired and access to this file is denied. I have 2 small children who need me and I have been on this all day. PLEASE HELP ME. I have read some other situations but I am at the end of my rope please. Also every few seconds the virus warning keeps popping up

mommyto2 and tired

Just downloaded Hijack and here is my copy and paste information. Please help, I'm afraid to go to bed because I'm not sure what I will find in the morning.

Logfile of HijackThis v1.96.0
Scan saved at 10:46:41 PM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq A4000\CPQA4000.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\MemTurbo\MemTurbo.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Documents and Settings\Joyce\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcy/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcy/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcy/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_1.dll
O2 - BHO: (no name) - {576EB0AD-6980-11D5-A9CD-0001032FEE17} - C:\Program Files\Yahoo!\Common\ycheckh.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\PROGRA~1\SBCYAH~1\CONNEC~1\ConnectionManager.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [CAPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CAPDPSRV.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [ddi] bot.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Global Startup: Compaq A4000 Settings Utility.lnk = C:\Program Files\Compaq A4000\CPQA4000.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: Advisor (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1964350af4e5a38ab921/netzip/RdxIE2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37626.6459606482
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07EFD24F-188C-457C-9F7D-564C43DC181E}: NameServer = 12.18.108.10 12.18.108.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{07EFD24F-188C-457C-9F7D-564C43DC181E}: NameServer = 12.18.108.10 12.18.108.8


----------



## wendytyo (Jun 7, 2001)

Hi everyone I am the one who started this post LOL but now i have the same virus as above but i tried to do the same as last time and nothing is the same can someone please look at my hijack this log thanks

Logfile of HijackThis v1.95.0
Scan saved at 11:32:57 PM, on 8/7/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\WINDOWS\System32\MSConfig45.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Documents and Settings\Wendy Tyo\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak=http://www.yahoo.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\Wendy Tyo\Local Settings\Temporary Internet Files\Content.IE5\K96PWFGZ\mscache[1].exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: webdav.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4007/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab


----------



## theheidis (Aug 7, 2003)

I'm back again. I still have the W32.SPYBOT.WORM virus in file MSCONFIG32.EXE

After "fixing" those 5 files someone advised me to do... I've also deleted the 2 TFTP files (TFTP2612 & TFTP2608) from my startup folder and when I rebooted they didn't pop up again.

From what I'm reading, it sounds like I should go into safe mode and delete MSCONFIG32.EXE - is this correct?

If so - someone please reassure me or something, because that frightens me 

Here's my latest log:

Logfile of HijackThis v1.96.0
Scan saved at 10:48:22 PM, on 8/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\ipod\bin\iPodManager.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
D:\ipod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPHipm09.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\System32\BhoDshop.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [DiscoverDeskshop] C:\Program Files\Discover Deskshop\Deskshop.exe /dontopenmycards
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iPodManager] D:\ipod\bin\iPodManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Deskshop (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37838.5182175926
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/photo/upload/XUpload.ocx
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver/ddc/shockwave/wtinst.cab

Thank You!!!


----------



## SouthSideJoh (Aug 8, 2003)

I have the W32.SPYBOT.WORM virus in file MSCONFIG32.EXE

My log file looks like this what do I need to delete/fix to repair this thanks and I will donate to this board... THANKS

Logfile of HijackThis v1.96.0
Scan saved at 1:28:23 AM, on 8/8/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\WINDOWS\anvshell.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\tppaldr.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Iconoid\iconoid.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\John F. Fisher\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = no
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Iconoid] "C:\Program Files\Iconoid\iconoid.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://66.28.56.111/pornsoftware/tanyawebcam.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.hot.ee/toptools/livesex.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/26cee7f12dfbdd71f517/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://63.93.1.67/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37663.2891319444
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/English/bin/npseatools.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab


----------



## SuPeR DaViD (Aug 7, 2003)

In response to $teve and tpb. Who's answer should I follow? Also, a few other questions:

1) Should I turn system restore off like Norton instructs for removing this virus?
2) When you get hijack this to fix those specific files, is this at all harmful if they turn out to be clean?
3) I just did a scan of my computer with Norton and it came up with all the files that have the virus. Should I just go ahead and delete them? Or should I stick with the instructions you guys gave me?
4) Norton does not include anything in its explanation of the virus about regedit and task manager not opening. Do I have another virus causing this problem?


----------



## $teve (Oct 9, 2001)

david..........go with tbp`s instructions first,because that will restore your ability to open msconfig etc(i didnt read that part of your 1st post)
and then fix what i told you in H/T.

good luck


----------



## $teve (Oct 9, 2001)

ok,whos first?
mommyto2...welcome to T.S.G

check thse entries of in hijackthis,close all browswere windows and "fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3....rchPageHome.htm
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1964350af4e5a3...tzip/RdxIE2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{07EFD24F-188C-457C-9F7D-564C43DC181E}: NameServer = 12.18.108.10 12.18.108.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{07EFD24F-188C-457C-9F7D-564C43DC181E}: NameServer = 12.18.108.10 12.18.108.8

you need to re-boot into safe mode(tap the f8 ky on bootup)
and delete c:\windows\system32\MSCONFIG32.EXE

now then......this one entry looks so suspicious that its laughable.
O4 - HKLM\..\Run: [ddi] bot.exe
i have to ask because i can find nothing on it. do you recognise it as a legit file?if not can you zip it and send it to me at [email protected] 
and then delete it with H/T


----------



## $teve (Oct 9, 2001)

hi wendy
check and "fix" these:

but 1st can you zip and send me this one(C:\WINDOWS\System32\MSConfig45.exe)
[email protected]

O4 - HKLM\..\Run: [MS Updates] C:\Documents and Settings\Wendy Tyo\Local Settings\Temporary Internet Files\Content.IE5\K96PWFGZ\mscache[1].exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
O4 - Global Startup: webdav.exe
re-boot, into safe mode,find and delete:
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\WINDOWS\System32\MSConfig45.exe

lastly,do an online A/V scan here:
http://housecall.trendmicro.com/


----------



## $teve (Oct 9, 2001)

theheidis hello again

check and "fix" these entries:

O2 - BHO: Discover deskshop Browser Helper Object - {8DB3D69D-DA5E-4165-B781-72A761790672} - C:\WINDOWS\System32\BhoDshop.dll
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/...wave/wtinst.cab

re-boot for the changes to take effect.


----------



## $teve (Oct 9, 2001)

SouthSideJohn.......welcome to T.S.G

check and "fix" these entries:

O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O16 - DPF: {10A1B95D-5E35-4935-8BC3-D43E81E8105E} - http://66.28.56.111/pornsoftware/tanyawebcam.exe:rolleyes:
O16 - DPF: {2C38A62E-D257-40E8-8BB7-5624E38FEB0A} - http://www.hot.ee/toptools/livesex.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/26cee7f12dfbdd...etzip/RdxIE.cab:D
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Sha...c/bin/cabsa.cab

re-boot into safe mode and delete:C:\WINDOWS\System32\MSCONFIG32.EXE


----------



## $teve (Oct 9, 2001)

you will have to boot into safe mode and delete it from there.
tap the f8 key on boot up.
delete:C:\WINDOWS\system32\msconfig32.exe


----------



## Patollo (Aug 8, 2003)

Hi again, I just wanted to thank you guys for helping me rid my system of this nasty virus, I really appriciate it a lot!! 

And for all of you other folks out there who are infected and posting for help, might I suggest reading through the entire w32.spybot.worm forum. I did so and found that there were a lot of people with the same problem as me, which coincidentally have the same solution. Besides fixing the Hijack This stuff, you can do a lot of it from what these great admins/mods have told other people. They might get tired of reading about the same problem thread after thread, other than that, good luck....


----------



## mommyto2 (Aug 8, 2003)

Steve, you are a wonderful person to take time out to look over our problems and help us to figure it out step by step.

I am not sure what you are wanting me to zip to you, (and how would I zip it anyway) I know very little about the technical terms. Let me know what it is and I will do my best.

Thanks again

Mommyto2


----------



## $teve (Oct 9, 2001)

thanx mommy.................

it was this file: bot.exe should be in c:\windows system or system32 folder
if you have a program like "winzip" you could zip the file(its a bit like putting it in a bag) and e-mail it to me so we can get it annalized.
no problem if you cant do it.

good luck


----------



## theheidis (Aug 7, 2003)

Hi again $teve!

Ok, I "fixed" those you told me to. And restarted.

I still have the virus, W32.SPYBOT.WORM in msconfig32.exe
Here's my new log: (Do I have to delete msconfig32.exe in safe mode? and if so, what will that do? Hurt anything?)

Logfile of HijackThis v1.96.0
Scan saved at 1:03:37 PM, on 8/8/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\ipod\bin\iPodManager.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
D:\ipod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\HPHipm09.exe
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [DiscoverDeskshop] C:\Program Files\Discover Deskshop\Deskshop.exe /dontopenmycards
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iPodManager] D:\ipod\bin\iPodManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox Zen (USB2.0)\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Deskshop (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/4.1.1/Hiwire.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37838.5182175926
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.walmartphotocenter.com/photo/upload/XUpload.ocx

THANKS!


----------



## Flrman1 (Jul 26, 2002)

theheidis

Run Cijack This again and put a check by these. Close all browser windows and "Fix Checked"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE

O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://63.102.226.240:8000/Java/cfs40300.cab

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i....1.1/Hiwire.cab

O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx

Yes you must restart in safe mode to delete:
The C:\WINDOWS\System32\MSCONFIG32.EXE file

Restart and at the first screen that appears begin tapping the F8 key repeatedly until it brings you to the boot options. Use the arrow keys to select "Safe Mode" and press "Enter" this will get you to safe mode.


----------



## icarus1970 (Aug 9, 2003)

Am hoping someone can help me with the virus that has infected my PC, much like many others. It is found in system32/msconfig32.exe. I ran Norton and was alble to quarantine/delete 12 viruses. Is this a new virus? I run a scan every Friday and never find anything, until today! Took advice and am currently running the trendmicro virus scan. At this point, 2 viruses have been found : TROJ JUSTIN A and ADW TENGET.A, but scan is not yet done, so it may find more. Also, these 2 are viruses that were not found by Norton on the scan I ran earlier.

Here is my copy from Hijack this and hopefully, I can get some help in getting this virus off my PC. By the way,any ideas on where/when this came about and what do I need to avoid to make sure I don't get it again?

Also, adware, how do I find/get rid of it?

Many thanks ahead of time!

Logfile of HijackThis v1.96.0
Scan saved at 1:10:26 AM, on 8/9/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WeatherCast\Weather.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Herbie\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hrtide.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {80841D20-757E-4A6B-9934-2B3CB9AE83CB} - C:\WINDOWS\System32\ShowBarBHO.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_1.1.70-deleon.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\PROGRA~1\NORTON~2\QDCSFS.exe /scheduler
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [Popup Ad Filter] C:\Program Files\Meaya\Popup Ad Filter\PopFilter.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - Startup: Weather.exe.lnk = C:\Program Files\WeatherCast\Weather.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: FlashPath for SD Memory Card Status.lnk = C:\Program Files\SmartDisk\FlashPath for SD Memory Card\FPSDstat.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsearch.html
O8 - Extra context menu item: Allow Popups - C:\Program Files\Meaya\Popup Ad Filter\WhiteGetUrl.js
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.70-deleon.dll/cmtrans.html
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: ChatSpace Java Client 2.1.0.84 - http://216.0.106.14:9000/Java/cs4ms084.cab
O16 - DPF: ChatSpace Java Client 3.0.0.207 - http://surechat.com:9000/Java/cms3207.cab
O16 - DPF: Win32 Classes - 
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3112/ftp.coupons.com/r3112/brix6ie.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (ICA Client) - http://summit-asp.com/NFuse/external/wficat.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www113.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/deleon/1.1.58-deleon/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37218.8021296296
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.dotphoto.com/XUpload.ocx


----------



## npetersoma (Aug 9, 2003)

Hello. I have the same problem as the others: Norton shows the spybot worm virus but cannot do anything about it. Here is my Hijack this log:
Logfile of HijackThis v1.96.0
Scan saved at 5:53:01 AM, on 8/9/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\MSCONFIG32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SNFV2ODD\hijackthis[1]\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TFTP4676
O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

Thanks so much for any help!


----------



## $teve (Oct 9, 2001)

welcome to T.S.G NPetersoma
check the following,close all browser windows and"fix checked"

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE

re-boot into safe mode(tapping the f8 key on boot up) 
find and delete:C:\WINNT\System32\MSCONFIG32.EXE


----------



## Flrman1 (Jul 26, 2002)

icarus1970

Welcome to TSG!

First turn off system restore. You can re-enable it when the worm is gone.

Next run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll

O2 - BHO: (no name) - {80841D20-757E-4A6B-9934-2B3CB9AE83CB} - C:\WINDOWS\System32\ShowBarBHO.dll

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup

O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O16 - DPF: ChatSpace Java Client 2.1.0.84 - http://216.0.106.14:9000/Java/cs4ms084.cab

O16 - DPF: Win32 Classes -

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3...112/brix6ie.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www113.coolsavings.com/download/cscmv5X.cab

IMPORTANT!!! DO NOT RESTART NORMALLY!
You must now restart in safe mode and delete:

The C:\WINNT\System32\MSCONFIG32.EXE file

If you restart normally this entry O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE is going to return and you will have to remove it again.

Also you may want to change any critical passwords as MSCONFIG32.EXE is a "Keylogger" trojan.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards keeping you spyware free.


----------



## tpk (Aug 9, 2003)

Hey guys,

It sounds like you are providing an excellent service. You are very honorable for doing this in your spare time.

I'm having the same problem as others with the W32.spybot.worm virus.

Norton has detected this virus and quarentened the following files: 
aqhhqwqcwy.exe
qkqpibfxjn.exe
webdav.exe

It also detected this virus in the following 2 files, but couldn't do anything with them:
IEXPLORE.EXE
msconfig32.exe

I've done the online virus scan through trendmicro, but nothing was detected.

My Hijack This log is as follows:

Logfile of HijackThis v1.96.0
Scan saved at 12:07:01 PM, on 8/9/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\IEXPLORE.EXE
C:\WINDOWS\System32\MSCONFIG32.EXE
C:\WINDOWS\System32\tbctray.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZSTC05.EXE
C:\Documents and Settings\Timothy P. Kelley\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: TFTP2984
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://software.wrn.net/mp3/mp3_plugin.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.samsphotoclub.com/add/XUpload.ocx

What's next? You guys are my last attempt to fix this problem before wipping my hard drive clean and starting from scratch. Thanks for the help.

Tim


----------



## $teve (Oct 9, 2001)

welcome to T.S.G Tim
check these items ,close all open browser windows and "fix checked"

O3 - Toolbar: (no name) - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - (no file)
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - Global Startup: TFTP2984

re-boot......find and delete:
C:\WINDOWS\System32\IEXPLORE.EXE
C:\WINDOWS\System32\MSCONFIG32.EXE

then take a trip here:http://www.pandasoftware.com/activescan/com/activescan_principal.htm
and scan with panda.

let us know the result and if you want to post a 2nd logfile with H/T,then we can see if all is gone bye bye`s

good luck


----------



## tpk (Aug 9, 2003)

Thanks Steve.

Hijack This was unable to delte 04 - Global Startup: TFTP2984 because it was in use. I couldn't open task manager to shut down this program. Any advice?

I am reboting now in safe mode to delete the other two files, then I will scan with panda, and repost log file.

Tim


----------



## tpk (Aug 9, 2003)

Followed all your steps, rebooted, and reran Hijack This, and the following are still running on my computer:

O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - Global Startup: TFTP2984

As stated in the last message, I am unable to delete O4 - Global Startup: TFTP2984 using Hijack This because it says that the program is running.

Now what?

Thank you.


----------



## buckaroo (Mar 25, 2001)

See if this application will kill the processes from running and enble HJT to get them:

http://sysinternals.com/ntw2k/freeware/procexp.shtml


----------



## tpk (Aug 9, 2003)

Okay guys, here are the results.

I preformed all the steps listed by Steve above. Using Hijack This I couldn't delete O4 - Global Startup: TFTP2984. I ignored this problem and continued Steve's process. After rebooting, I ran the Panda scan and no viruses were detected. I also reran the Norton sacan and no viruses were detected. However, the following three process are still showing up in Hijack This:

O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - Global Startup: TFTP2984

So, I tried the sysinternals freeware and it didn't even list the above processes as running, however they still appear in hijack this.

Here is the entire Hijack This log:

Logfile of HijackThis v1.96.0
Scan saved at 2:56:47 PM, on 8/9/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\tbctray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Timothy P. Kelley\Desktop\Security\procexpnt\procexp.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Timothy P. Kelley\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE
O4 - HKLM\..\Run: [Winsock2 driver] IEXPLORE.EXE
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: TFTP2984
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://software.wrn.net/mp3/mp3_plugin.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.samsphotoclub.com/add/XUpload.ocx

So what is the verdict? Is my computer still sick or not?

Thanks,
Tim


----------



## Flrman1 (Jul 26, 2002)

icarus1970

Welcome to TSG!

First turn off system restore. You can re-enable it when the worm is gone.

Next run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll

O2 - BHO: (no name) - {80841D20-757E-4A6B-9934-2B3CB9AE83CB} - C:\WINDOWS\System32\ShowBarBHO.dll

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe

O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup

O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

O16 - DPF: ChatSpace Java Client 2.1.0.84 - http://216.0.106.14:9000/Java/cs4ms084.cab

O16 - DPF: Win32 Classes -

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3...112/brix6ie.cab

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50017/btiein.cab

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www113.coolsavings.com/download/cscmv5X.cab

IMPORTANT!!! DO NOT RESTART NORMALLY!
You must now restart in safe mode and delete:

The C:\WINNT\System32\MSCONFIG32.EXE file

If you restart normally this entry O4 - HKLM\..\Run: [MSConfig] MSCONFIG32.EXE is going to return and you will have to remove it again.

Also you may want to change any critical passwords as MSCONFIG32.EXE is a "Keylogger" trojan.

Then go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-...=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way towards keeping you spyware free.


----------



## buckaroo (Mar 25, 2001)

Tim, can you just go into your MSCONFIG startup folder and un-tic these app's from loading at startup, then reboot and see if they're running?


----------



## buckaroo (Mar 25, 2001)

Just a note to fellow members helping with logs......

This thread is out of control and confusing with piggy-backed posts. 

If anyone new posts, can we just direct them to start a new thread and then close this one down as soon as the remaining posts are solved?

Thanks


----------



## Flrman1 (Jul 26, 2002)

That's a good idea buckaroo but if we keep waiting we will never get a break. That is why I reposted my reply to icarus1970 to give one last chance for a reply with the results. I say once we get tpk squared away if we haven't heard from any of the other tag-alongs we just go ahead and ask the mods to close this one with instructrions to anyone that has not yet resolved the issue. 

There are a couple more I think we are going to have to do that with to. Not only does it get confusing but posts get overlooked also.


----------



## tpk (Aug 9, 2003)

I went to MSCONFIG and unchecked these 3 files from loading at startup. I restarted my computer. I got an error on startup, "Windows can not open this file: TFTP2984". Using ctrl-alt-delete none of these processes are running. Then I ran Hijack This, and guess what, 04-Global Startup: TFTP2984 is still on the log. However, the other 2 processes, IEXPLORE.EXE and MSCONFIG32.EXE are not on the Hijack This log. So, I again tried to have Hijack This fix TFTP2984, but I got the same error about this file being in use.

What should I do?


----------



## buckaroo (Mar 25, 2001)

Yeah, I know it's not easy, sometimes impossible. 

That's why I just mentioned maybe telling a new poster at this point in time to just start another thread and the once we get tpk squared away we can put this thread to bed.

(Hopefully)


----------



## buckaroo (Mar 25, 2001)

Okay Tim, according to Symantec, this should just be a zero byte folder anyway. Try this:

Windows XP 
Click Start, and then click Search. 
Click All files and folders. 
In the "All or part of the file name" box, type, or copy and paste, the file names tftp*.* 
Verify that "Look in" is set to "Local Hard Drives" or to (C: ). 
Click "More advanced options." 
Check "Search system folders." 
Check "Search subfolders." 
Click Search. 
Delete the files that are zero-bytes and contained within any folder that ends with "Startup."

Let us know, okay?


----------



## Flrman1 (Jul 26, 2002)

tpk 

Try restarting in safe mode and click Start, Run and enter explorer. Navigate to the folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup and delete TFTP2984


----------



## tpk (Aug 9, 2003)

EXCELLENT work guys! The only thing left is to remove the following 3 items from my msconfig startup list:

MSCONFIG32.EXE
IEXPLORE.EXE
TFTP2984

These items are currently "un-checked" so they don't automatically start when when booting up my machine, but I would like to completely remove them from this list. How do I do that?

Here is the most recent Hijack This log file for your review:

Logfile of HijackThis v1.96.0
Scan saved at 4:24:28 PM, on 8/9/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\WINDOWS\System32\tbctray.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Exif Launcher\QuickDCF.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Timothy P. Kelley\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.MyJoi.net/MyJoi.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.MyJoi.net/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: officejet 6100.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://software.wrn.net/mp3/mp3_plugin.exe
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.samsphotoclub.com/add/XUpload.ocx

So what do you think? Am I finally clean?

Thanks again for the awesome help. I am looking into making a donation imediately after I post this reply.

THANK YOU!

Tim


----------



## Flrman1 (Jul 26, 2002)

Looks good to me!

IMPORTANT! Always backup the registry before attempting to make changes.

Here's how to remove the UNchecked items from Msconfig/Startup:

Open the Registry editor: Start >Run > *regedit*.

Navigate to, and examine the following 3 subkeys:

*HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run-

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-*

Note the - (minus) sign behind Run and RunServices.
In those subkeys you'll find the Msconfig/startup entries that are UNchecked.

Highlight the ones you'd like to get rid of in the RIGHT pane, and choose 'delete'.

These keys contain the stuff that starts up from the _Registry_. 
Items that were loaded from your _Startup folder_, and are now unchecked in Msconfig can be deleted in Start/Programs/Disabled Startup Items.


----------



## Flrman1 (Jul 26, 2002)

OK guys is everyone cool with marking this one "Solved" and Closed?


----------



## buckaroo (Mar 25, 2001)

Go for it!

:up: :up: :up: :up:


----------



## ~Candy~ (Jan 27, 2001)

Anyone with a similar problem, please open a new thread


----------

