# winpup32.exe



## guennevere (Jun 16, 2003)

i have the trojan virus winpup32.exe but it is located in my system folder and i can't seem to delete it manually (i've tried spybot, adaware and norton and they don't help). anyone know how i can get rid of this?


----------



## brendandonhu (Jul 8, 2002)

Try deleting it in safe mode.


----------



## LatinStinger (Jun 18, 2003)

After running your virus program like panda, Mcaffee,(which have the ability to quarantine winpup32.exe Trojan), Norton doesn't, at least not right now.

1. Just open task manager and stop the winpup32.exe process. 
2. Then go to dos and type c:\windows\system32\
3. run Attrib -r -s -a winpup32.exe and press enter
4. Then type Del winpup32.exe and press enter
5. its gone.


----------



## guennevere (Jun 16, 2003)

thank you brandon, the safe mode did the trick.
sorry latinstinger, thought i removed the post.
thanks again!


----------



## brendandonhu (Jul 8, 2002)

[tsg=yourewelcome][/tsg]


----------



## Gadjo (Jul 20, 2003)

First of all, please excuse my poor english, it'snt my mother-language.

I read the informations here above, but no one works! I work with NT 4.0 pack 6 and it doesn't work. Norton find the trojan but can't erase it. When it starts, it appears lot of (about 30) download windows, and to stop it, Ctrl -Alt- del is right. It happen when I use IExplorer, but it'snt systematic. I can't say the reason why winpup32 starts.I find it in "c:\winnt\profiles\Administrateur\Local Settings\Temporary internet files\" and delete it. After, following Norton's instructions , I look in my registry and I can't find the entry with winpup32 ...

Wath can I do ... Please help me ... thanks.


----------



## TonyKlein (Aug 26, 2001)

It's not hard to remove. Please do the following:

Go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'. 
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.


----------



## Diablito (Jul 21, 2003)

I just used the HiJack to scan and saved the log. I hope someone will help me in taking a look at the log results. Thanks. Would you need my comp info? Sony... touchpad... etc?


----------



## TonyKlein (Aug 26, 2001)

Just post the Hijack This log here. It will tell us all we need to know.


----------



## Gadjo (Jul 20, 2003)

Here is the result of the Hijack program: I hope i can help me:

Logfile of HijackThis v1.95.1
Scan saved at 14:03:28, on 21/07/03
Platform: Windows NT 4 SP6 (WinNT 4.00.1381)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

(...)

Thanks.


----------



## TonyKlein (Aug 26, 2001)

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ok-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ok-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ok-search.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.inge.freeservers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ok-search.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ok-search.com/search.html

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINNT\whattn.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\RECYCLER\S-1-5-~1\DC10\SuperBar.Dll (file missing)
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINNT\System\BHO001.DLL
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINNT\newones.dll

O3 - Toolbar: (no name) - {69550BE2-9A78-11D2-BA91-00600827878D} - C:\WINNT\System32\shdocvw.dll
O3 - Toolbar: SuperBar - {56E8CEBE-B153-11D7-94EF-00A0248E9A2D} - C:\RECYCLER\S-1-5-~1\DC10\SuperBar.Dll (file missing)

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinStart001.EXE] C:\WINNT\System\WinStart001.EXE -b

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://216.65.38.226/Download_Plugin.exe

O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://media.windowsmediasolutions..../downloader.cab*

Now *restart* your computer, and delete the C:\WINNT\System\WinStart001.EXE file.

Finally, download Spybot - Search & Destroy, if you haven't already got the program.

Now press Settings, and Settings again.
Go to the Webupdate section, and check "Display also available beta versions".

Now press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.

Now restart your computer.

NOTE: Don't be taken aback by the fact that you will have installed so called "Beta" updates.
Unlike is the case with some of its competitors, SpyBot updates are first issued as betas for a few days in order to iron out possible problems.
These are extremely rare, and these updates are absolutely reliable.


----------



## Gadjo (Jul 20, 2003)

thank you very much ... I 'll try it.


----------



## Diablito (Jul 21, 2003)

Thanks for the help!!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.blackfoot.net/home/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/channel/search/0,11,totalinternet-0,00.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blackfoot.net/home/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINNT\newones.dll
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINNT\whattt.dll
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [S3Hotkey] s3hotkey.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICONSPY.EXE
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [keyman.exe] C:\PROGRA~1\TAVULT~1\Keyman\keyman.exe
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPSWF32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{43BBF056-FF32-4F26-A71B-DCA01A6B723D}: NameServer = 12.32.34.32 12.32.34.33


----------



## brendandonhu (Jul 8, 2002)

Run HijackThis again and click the _scan_ button. 
Put a checkmark next to *all* of the following items, and click _Fix Checked_.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://totalinternet.snap.com:8005/...ernet-0,00.html

O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINNT\newones.dll

O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINNT\whattt.dll

O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\MediaLoads Enhanced\ME2.DLL

O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\Client\bin\tgcmd.exe" /server /nosystray

O4 - HKLM\..\Run: [ZTgServerSwitch] C:\Program Files\support.com\client\lserver\server.vbs

O4 - HKLM\..\Run: [MediaLoads Installer] "C:\Program Files\DownloadWare\dw.exe" /H

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{43BBF056-FF32-4F26-A71B-DCA01A6B723D}: NameServer = 12.32.34.32 12.32.34.33

Reboot, and run Spybot Search & Destroy to finish the job.


----------



## TonyKlein (Aug 26, 2001)

After rebooting you also want to delete the C:\WINNT\System32\winpup32.exe file itself.


----------



## Diablito (Jul 21, 2003)

I'll run it and let you know. Thanks alot!


----------



## Diablito (Jul 21, 2003)

That seemed to have done the trick. Thanks!!


----------



## brendandonhu (Jul 8, 2002)

:up:


----------



## TonyKlein (Aug 26, 2001)

Excellent!


----------



## North Pole (Jul 26, 2003)

Hello, I too have been infected with the winpup32 trojan. Just wondering if I can have someone look at my log file from Hijack This. I tried Norton, Mcafee, Adaware, Spybot, I'm very frustrated at this point. Thanks in advance. Hope i can be of help on this forum. looks great.

Logfile of HijackThis v1.95.1
Scan saved at 11:01:00 AM, on 7/26/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Andy Stock\Desktop\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 66.159.20.80 www1.ndhosting.com
O1 - Hosts: 66.159.20.80 www3.ndhosting.com
O1 - Hosts: 66.159.20.80 www2.ndhosting.com
O1 - Hosts: 66.159.20.80 www.ndhosting.com
O1 - Hosts: 66.159.20.80 www.kinghost.com
O1 - Hosts: 66.159.20.80 kinghost.com
O1 - Hosts: 66.159.20.80 www1.kinghost.com
O1 - Hosts: 66.159.20.80 www2.kinghost.com
O1 - Hosts: 66.159.20.80 www3.kinghost.com
O1 - Hosts: 66.159.20.80 www4.kinghost.com
O1 - Hosts: 66.159.20.80 www5.kinghost.com
O1 - Hosts: 66.159.20.80 www6.kinghost.com
O1 - Hosts: 66.159.20.80 www7.kinghost.com
O1 - Hosts: 66.159.20.80 www8.kinghost.com
O1 - Hosts: 66.159.20.80 www9.kinghost.com
O1 - Hosts: 66.159.20.80 www10.kinghost.com
O1 - Hosts: 66.159.20.80 www.smutserver.com
O1 - Hosts: 66.159.20.80 smutserver.com
O1 - Hosts: 66.159.20.80 www1.smutserver.com
O1 - Hosts: 66.159.20.80 www2.smutserver.com
O1 - Hosts: 66.159.20.80 www16.smutserver.com
O1 - Hosts: 66.159.20.80 www3.smutserver.com
O1 - Hosts: 66.159.20.80 www4.smutserver.com
O1 - Hosts: 66.159.20.80 www5.smutserver.com
O1 - Hosts: 66.159.20.80 www6.smutserver.com
O1 - Hosts: 66.159.20.80 www7.smutserver.com
O1 - Hosts: 66.159.20.80 www8.smutserver.com
O1 - Hosts: 66.159.20.80 www9.smutserver.com
O1 - Hosts: 66.159.20.80 www10.smutserver.com
O1 - Hosts: 66.159.20.80 www11.smutserver.com
O1 - Hosts: 66.159.20.80 www12.smutserver.com
O1 - Hosts: 66.159.20.80 www13.smutserver.com
O1 - Hosts: 66.159.20.80 www14.smutserver.com
O1 - Hosts: 66.159.20.80 www15.smutserver.com
O1 - Hosts: 66.159.20.80 www17.smutserver.com
O1 - Hosts: 66.159.20.80 www18.smutserver.com
O1 - Hosts: 66.159.20.80 www19.smutserver.com
O1 - Hosts: 66.159.20.80 www20.smutserver.com
O1 - Hosts: 66.159.20.80 www21.smutserver.com
O1 - Hosts: 66.159.20.80 www22.smutserver.com
O1 - Hosts: 66.159.20.80 www23.smutserver.com
O1 - Hosts: 66.159.20.80 www24.smutserver.com
O1 - Hosts: 66.159.20.80 www25.smutserver.com
O1 - Hosts: 66.159.20.80 www26.smutserver.com
O1 - Hosts: 66.159.20.80 www27.smutserver.com
O1 - Hosts: 66.159.20.80 www28.smutserver.com
O1 - Hosts: 66.159.20.80 www29.smutserver.com
O1 - Hosts: 66.159.20.80 www30.smutserver.com
O1 - Hosts: 66.159.20.80 www31.smutserver.com
O1 - Hosts: 66.159.20.80 www32.smutserver.com
O1 - Hosts: 66.159.20.80 agreathost.net
O1 - Hosts: 66.159.20.80 www.agreathost.net
O1 - Hosts: 66.159.20.80 hotfreehost.com
O1 - Hosts: 66.159.20.80 www.hotfreehost.com
O1 - Hosts: 66.159.20.80 greatfreehost.com
O1 - Hosts: 66.159.20.80 www.greatfreehost.com
O1 - Hosts: 66.159.20.80 freesmutpages.com
O1 - Hosts: 66.159.20.80 www.freesmutpages.com
O1 - Hosts: 66.159.20.80 apornhost.com
O1 - Hosts: 66.159.20.80 www.apornhost.com
O1 - Hosts: 66.159.20.80 nasty-pages.com
O1 - Hosts: 66.159.20.80 www.nasty-pages.com
O1 - Hosts: 66.159.20.80 sexyfreehost.com
O1 - Hosts: 66.159.20.80 www.sexyfreehost.com
O1 - Hosts: 66.159.20.80 x4web.com
O1 - Hosts: 66.159.20.80 www.x4web.com
O1 - Hosts: 66.159.20.80 sexplanets.com
O1 - Hosts: 66.159.20.80 www.sexplanets.com
O1 - Hosts: 66.159.20.80 maxismut.com
O1 - Hosts: 66.159.20.80 www.maxismut.com
O1 - Hosts: 66.159.20.80 tgpfriendly.com
O1 - Hosts: 66.159.20.80 www.tgpfriendly.com
O1 - Hosts: 66.159.20.80 tgp-server.com
O1 - Hosts: 66.159.20.80 www.tgp-server.com
O1 - Hosts: 66.159.20.80 magnaplza.com
O1 - Hosts: 66.159.20.80 www.magnaplza.com
O1 - Hosts: 66.159.20.80 free-xxx-server.com
O1 - Hosts: 66.159.20.80 www.free-xxx-server.com
O1 - Hosts: 66.159.20.80 libereco.net
O1 - Hosts: 66.159.20.80 www.libereco.net
O1 - Hosts: 66.159.20.80 0190-dialer.com
O1 - Hosts: 66.159.20.80 www.0190-dialer.com
O1 - Hosts: 66.159.20.80 xxxod.net
O1 - Hosts: 66.159.20.80 www.xxxod.net
O1 - Hosts: 66.159.20.80 altsights.com
O1 - Hosts: 66.159.20.80 www.altsights.com
O1 - Hosts: 66.159.20.80 adulthosting.com
O1 - Hosts: 66.159.20.80 www.adulthosting.com
O1 - Hosts: 66.159.20.80 superhova.com
O1 - Hosts: 66.159.20.80 www.superhova.com
O1 - Hosts: 66.159.20.80 bestpornhost.com
O1 - Hosts: 66.159.20.80 www.bestpornhost.com
O1 - Hosts: 66.159.20.80 hostingfree.com
O1 - Hosts: 66.159.20.80 www.hostingfree.com
O1 - Hosts: 66.159.20.80 xfreehosting.com
O1 - Hosts: 66.159.20.80 www.xfreehosting.com
O1 - Hosts: 66.159.20.80 blinghosting.com
O1 - Hosts: 66.159.20.80 www.blinghosting.com
O1 - Hosts: 66.159.20.80 x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 www.x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 pornparks.com
O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6686C5E2-E59A-4512-A71A-CBD623D820FE}: NameServer = 207.194.161.3 207.194.161.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{6686C5E2-E59A-4512-A71A-CBD623D820FE}: NameServer = 207.194.161.3 207.194.161.4


----------



## Flrman1 (Jul 26, 2002)

Hi North Pole

Welcome to TSG!

Run Hijack This again and put a check by these. Doublecheck to be sure and not miss a single one. Close all browser windows and "Fix Checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O1 - Hosts: 66.159.20.80 www1.ndhosting.com
O1 - Hosts: 66.159.20.80 www3.ndhosting.com
O1 - Hosts: 66.159.20.80 www2.ndhosting.com
O1 - Hosts: 66.159.20.80 www.ndhosting.com
O1 - Hosts: 66.159.20.80 www.kinghost.com
O1 - Hosts: 66.159.20.80 kinghost.com
O1 - Hosts: 66.159.20.80 www1.kinghost.com
O1 - Hosts: 66.159.20.80 www2.kinghost.com
O1 - Hosts: 66.159.20.80 www3.kinghost.com
O1 - Hosts: 66.159.20.80 www4.kinghost.com
O1 - Hosts: 66.159.20.80 www5.kinghost.com
O1 - Hosts: 66.159.20.80 www6.kinghost.com
O1 - Hosts: 66.159.20.80 www7.kinghost.com
O1 - Hosts: 66.159.20.80 www8.kinghost.com
O1 - Hosts: 66.159.20.80 www9.kinghost.com
O1 - Hosts: 66.159.20.80 www10.kinghost.com
O1 - Hosts: 66.159.20.80 www.smutserver.com
O1 - Hosts: 66.159.20.80 smutserver.com
O1 - Hosts: 66.159.20.80 www1.smutserver.com
O1 - Hosts: 66.159.20.80 www2.smutserver.com
O1 - Hosts: 66.159.20.80 www16.smutserver.com
O1 - Hosts: 66.159.20.80 www3.smutserver.com
O1 - Hosts: 66.159.20.80 www4.smutserver.com
O1 - Hosts: 66.159.20.80 www5.smutserver.com
O1 - Hosts: 66.159.20.80 www6.smutserver.com
O1 - Hosts: 66.159.20.80 www7.smutserver.com
O1 - Hosts: 66.159.20.80 www8.smutserver.com
O1 - Hosts: 66.159.20.80 www9.smutserver.com
O1 - Hosts: 66.159.20.80 www10.smutserver.com
O1 - Hosts: 66.159.20.80 www11.smutserver.com
O1 - Hosts: 66.159.20.80 www12.smutserver.com
O1 - Hosts: 66.159.20.80 www13.smutserver.com
O1 - Hosts: 66.159.20.80 www14.smutserver.com
O1 - Hosts: 66.159.20.80 www15.smutserver.com
O1 - Hosts: 66.159.20.80 www17.smutserver.com
O1 - Hosts: 66.159.20.80 www18.smutserver.com
O1 - Hosts: 66.159.20.80 www19.smutserver.com
O1 - Hosts: 66.159.20.80 www20.smutserver.com
O1 - Hosts: 66.159.20.80 www21.smutserver.com
O1 - Hosts: 66.159.20.80 www22.smutserver.com
O1 - Hosts: 66.159.20.80 www23.smutserver.com
O1 - Hosts: 66.159.20.80 www24.smutserver.com
O1 - Hosts: 66.159.20.80 www25.smutserver.com
O1 - Hosts: 66.159.20.80 www26.smutserver.com
O1 - Hosts: 66.159.20.80 www27.smutserver.com
O1 - Hosts: 66.159.20.80 www28.smutserver.com
O1 - Hosts: 66.159.20.80 www29.smutserver.com
O1 - Hosts: 66.159.20.80 www30.smutserver.com
O1 - Hosts: 66.159.20.80 www31.smutserver.com
O1 - Hosts: 66.159.20.80 www32.smutserver.com
O1 - Hosts: 66.159.20.80 agreathost.net
O1 - Hosts: 66.159.20.80 www.agreathost.net
O1 - Hosts: 66.159.20.80 hotfreehost.com
O1 - Hosts: 66.159.20.80 www.hotfreehost.com
O1 - Hosts: 66.159.20.80 greatfreehost.com
O1 - Hosts: 66.159.20.80 www.greatfreehost.com
O1 - Hosts: 66.159.20.80 freesmutpages.com
O1 - Hosts: 66.159.20.80 www.freesmutpages.com
O1 - Hosts: 66.159.20.80 apornhost.com
O1 - Hosts: 66.159.20.80 www.apornhost.com
O1 - Hosts: 66.159.20.80 nasty-pages.com
O1 - Hosts: 66.159.20.80 www.nasty-pages.com
O1 - Hosts: 66.159.20.80 sexyfreehost.com
O1 - Hosts: 66.159.20.80 www.sexyfreehost.com
O1 - Hosts: 66.159.20.80 x4web.com
O1 - Hosts: 66.159.20.80 www.x4web.com
O1 - Hosts: 66.159.20.80 sexplanets.com
O1 - Hosts: 66.159.20.80 www.sexplanets.com
O1 - Hosts: 66.159.20.80 maxismut.com
O1 - Hosts: 66.159.20.80 www.maxismut.com
O1 - Hosts: 66.159.20.80 tgpfriendly.com
O1 - Hosts: 66.159.20.80 www.tgpfriendly.com
O1 - Hosts: 66.159.20.80 tgp-server.com
O1 - Hosts: 66.159.20.80 www.tgp-server.com
O1 - Hosts: 66.159.20.80 magnaplza.com
O1 - Hosts: 66.159.20.80 www.magnaplza.com
O1 - Hosts: 66.159.20.80 free-xxx-server.com
O1 - Hosts: 66.159.20.80 www.free-xxx-server.com
O1 - Hosts: 66.159.20.80 libereco.net
O1 - Hosts: 66.159.20.80 www.libereco.net
O1 - Hosts: 66.159.20.80 0190-dialer.com
O1 - Hosts: 66.159.20.80 www.0190-dialer.com
O1 - Hosts: 66.159.20.80 xxxod.net
O1 - Hosts: 66.159.20.80 www.xxxod.net
O1 - Hosts: 66.159.20.80 altsights.com
O1 - Hosts: 66.159.20.80 www.altsights.com
O1 - Hosts: 66.159.20.80 adulthosting.com
O1 - Hosts: 66.159.20.80 www.adulthosting.com
O1 - Hosts: 66.159.20.80 superhova.com
O1 - Hosts: 66.159.20.80 www.superhova.com
O1 - Hosts: 66.159.20.80 bestpornhost.com
O1 - Hosts: 66.159.20.80 www.bestpornhost.com
O1 - Hosts: 66.159.20.80 hostingfree.com
O1 - Hosts: 66.159.20.80 www.hostingfree.com
O1 - Hosts: 66.159.20.80 xfreehosting.com
O1 - Hosts: 66.159.20.80 www.xfreehosting.com
O1 - Hosts: 66.159.20.80 blinghosting.com
O1 - Hosts: 66.159.20.80 www.blinghosting.com
O1 - Hosts: 66.159.20.80 x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 www.x-x-x-hosting.com
O1 - Hosts: 66.159.20.80 pornparks.com

O2 - BHO: (no name) - {10955232-B671-11D7-8066-0040F6F477E4} - C:\WINDOWS\whattn.dll

O2 - BHO: (no name) - {D7D7004C-A763-4F8C-B0D4-55A7E017E69D} - C:\WINDOWS\newones.dll (file missing)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O17 - HKLM\System\CCS\Services\Tcpip\..\{6686C5E2-E59A-4512-A71A-CBD623D820FE}: NameServer = 207.194.161.3 207.194.161.4

O17 - HKLM\System\CS1\Services\Tcpip\..\{6686C5E2-E59A-4512-A71A-CBD623D820FE}: NameServer = 207.194.161.3 207.194.161.4

Restart your computer.

Now download Spybot here http://www.tomcoyote.org/SPYBOT/ if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how to help prevent future attacks. On this page you will find a link to Javacool's SpywareBlaster. Get it also and keep it updated frequently.


----------



## North Pole (Jul 26, 2003)

THANK-YOU, THANK-YOU,THANK-YOU I read just about every thing I could find under Google about this trojan and was getting very annoyed. I also tried reading the HighJack This tutorial from the forum, but my pc skills are quit limited. I don't like having to ask for help but this one had me. Your time and effort is greatly appreciated Flrman 1.

Oh it's nice to be surfing the web without ALL those pop-ups!!! :up:


----------



## Flrman1 (Jul 26, 2002)

You're Welcome! Glad to help.  

Happy Surfing!


----------



## zombiecore (Jul 27, 2003)

hey, Im having trouble with this trogan much like everyone else. I ran the hijackthis...If you could maybe possibley look at my log file and try to help, i would more than consider having your children. .heh, Thanks

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SBNET\SHOWBEHIND.EXE
C:\PROGRAM FILES\SUPERBAR\SBHC.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\MEDIA\MEDIA\UPDATESTATS.EXE
C:\PROGRAM FILES\NETRATINGS\PREMETER\PRMT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WINSERVN.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\PROFILES\MOTHER\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jetseeker.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jetseeker.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*[url]http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*[url]http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*[url]http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s (obfuscated)
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - C:\WINDOWS\MSVIEW.DLL
O2 - BHO: (no name) - {A096A159-4E58-45A9-8EE6-B11466851181} - C:\WINDOWS\MSIEBHO.DLL
O2 - BHO: Natural Language Navigation - {60E78CAC-E9A7-4302-B9EE-8582EDE22FBF} - C:\WINDOWS\SYSTEM\BHO001.DLL
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - (no file)
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\BTLINK.DLL
O2 - BHO: (no name) - {2B3452C5-1B9A-440F-A203-F6ED0F64C895} - C:\WINDOWS\REM00001.DLL
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\PROGRAM FILES\NAVEXCEL\NAVHELPER\V2.0.2\NHELPER.DLL
O2 - BHO: (no name) - {ABBA9A00-BEDA-11D7-AE9D-0010B5C0CBDD} - C:\WINDOWS\SYSTEM\BINITPKI.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {8FB0F3E2-5193-11d7-9F88-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: Intelligent Explorer - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: SuperBar - {7533A7A0-B5D5-11D7-AE9D-0010B5C0CBDD} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [WINSTART001.EXE] C:\WINDOWS\System\WINSTART001.EXE -b
O4 - HKLM\..\Run: [ShowBehind] C:\WINDOWS\SBNET\SHOWBEHIND.EXE 
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe
O4 - HKLM\..\Run: [Premeter] C:\PROGRA~1\NETRAT~1\PREMETER\PRMT.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\SYSTEM\winservn.exe
O8 - Extra context menu item: Power Search - res://C:\PROGRAM FILES\COMMON FILES\MSIETS\MSIELINK.DLL//iemenu
O8 - Extra context menu item: Ask Jeeves Search - javascript:external.menuArguments.location.href="javascript:AskBarcommand='cmd-search-selection'"
O8 - Extra context menu item: Dictionary Search - javascript:external.menuArguments.location.href="javascript:AskBarcommand='cmd-search-selection-word'"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37673.5266666667
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/logitech/ver1.3.1.2083/bin/imvid.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50003/btiein.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.lyricsdomain.com/download.mp3.exe
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 (dldisplay Class) - http://about.chatspace.com/Java/cs4fs084.cab
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://216.12.201.239/adcampaigns/webplugin.cab


----------



## TonyKlein (Aug 26, 2001)

That's a lovely spyware collection you have there... 

I suggest you do the following:

Download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.
Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

That ought to get rid of most of your spyware.

When you've done all that, re-run Hijack This, and give us a fresh log.


----------



## wacka101 (Jul 28, 2003)

Hi, can you guys help me out?

Logfile of HijackThis v1.95.1
Scan saved at 11:00:02 PM, on 7/27/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\windows\system32\win32us.exe
C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\System32\EXPLORER.EXE
C:\WINDOWS\System32\winservn.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\PROGRA~1\COMMON~2\Toolbar\comwiz.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
c:\progra~1\Support.com\client\bin\tgcmd.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\taskmgr.exe
D:\Winamp3\winamp3.exe
D:\Kazaa Lite\kazaalite.kpp
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.msn.co
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople
O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\lserver\server.vbs
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [win32us] c:\windows\system32\win32us.exe /noconnect
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [KAZAA] "D:\Kazaa Lite\kpp.exe" "D:\Kazaa Lite\kazaalite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\System32\EXPLORER.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\MGI\MGI PhotoSuite III SE\Temp\MGI00000.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www.********com/includes/Download_UL.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...com/audit/includes/ContentAuditControl_v3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
O16 - DPF: {FF054BED-D972-4215-897E-726C3488DDBB} (sonyctl.sonycm) - http://supportcentral.sel.sony.com/sdccommon/download/sonyctl.CAB

Thanks


----------



## TonyKlein (Aug 26, 2001)

Wacka101,

In Hijack This, check ALL of the following items. Doublecheck so as to be sure not to miss a single one.
Next, close _all_ browser Windows, and have HT fix all checked.

*O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - C:\PROGRA~1\COMMON~2\Toolbar\cnbabe.dll

O4 - HKLM\..\Run: [win32us] c:\windows\system32\win32us.exe /noconnect
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\Toolbar\winnet.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\System32\EXPLORER.EXE
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe

O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {AE6CEFA8-1223-4337-8D94-977268FF9AA0} (DownloadUL Class) - http://www.********com/includes/Download_UL.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - *

Now *restart* your computer, and delete:

The C:\windows\system32\win32us.exe file
The C:\Program Files\Commonname folder
The C:\WINDOWS\*System32*\EXPLORER.EXE file (This is a trojan. NOTE: Do NOT touch the Explorer.exe file in C:\Windows, which is obviously a vital Windows file! )
The C:\WINDOWS\System32\winservn.exe file

Finally, download Spybot - Search & Destroy

After installing, _first_ press *Online*, and search for, put a check mark at, and install *all updates*.

Next, _close_ all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds.

Cheers,


----------



## TechOpie (Jul 28, 2003)

Sorry about posting in the same thread (I am new here). But thanks for your advice I am now "WINPUP32.EXE" free. In the future I will start a new thread with my question.


Opie


----------



## TonyKlein (Aug 26, 2001)

No prob! 

Glad to hear it helped.


----------



## BlueDog2 (Jun 15, 2003)

Help. I am having a related problem. I am getting a mountain of popups every so often on my system. When I manually run Anti-Virus 2001, it finds nothing, and there is nothing in quarantine. Every so often however, I get the following error message...

Trojan.Adclicker virus is in 
c:\documents and settings\larry mandelberg\local settings\tempoary internet files\content.ie5\896jcpif\winpup32[1].exe

I cannot find a service, process, or file that seems to be related to the problem.

Can anyone HELP me!?!

Thanks...


----------



## Flrman1 (Jul 26, 2002)

BlueDog2

Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijachthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless. Someone here will be glad to advise you on what to fix.


----------



## BlueDog2 (Jun 15, 2003)

As instructed...

Logfile of HijackThis v1.95.1
Scan saved at 2:57:01 PM, on 7/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\winservn.exe
C:\Apps\Palm\HOTSYNC.EXE
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Documents and Settings\Larry Mandelberg\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mytec.teconline.com/login/asp/mytecwelcome.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Apps\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by this one. Close all browser windows and "Fix Checked"

O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe

Restart your computer and delete 
The C:\WINDOWS\System32\winservn.exe file

Here is info on winservn.exe.

http://www.cexx.org/winservs.htm


----------



## Flrman1 (Jul 26, 2002)

Also empty the c:\documents and settings\larry mandelberg\local settings\tempoary internet files


----------



## BlueDog2 (Jun 15, 2003)

Flrmn1,

Thanks. All instructions have been executed. I will watch and wait for a bit. I assure you, a donation WILL be made once I have some confidence that my system has been 'cleaned' Thanks you once again very much for your prompt help. Keep up the good work...


----------



## Flrman1 (Jul 26, 2002)

My Pleasure!  :up:


----------



## TonyKlein (Aug 26, 2001)




----------



## Atmosphere (Jul 30, 2003)

hi guys im new here and need help with this as well...i ran spybot first then hijack and this is what i got

Logfile of HijackThis v1.95.1
Scan saved at 2:45:54 PM, on 7/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Orlando\Desktop\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.lycos.com/msie4.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sandiego.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [RunAlert] C:\Program Files\MSI\PC Alert III\AService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_0.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0251f502ac7d00/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37645.9737384259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## TonyKlein (Aug 26, 2001)

It's a pretty trim log.

First, go to Add/Remove programs, and see whethe New.Net(Domains) is still listed.
If so, uninstall the program.

Whether it is or isn't, subsequently run Hijack This, and have it fix the following items:

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_50.dll

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - 


Cheers,


----------



## izzyschwartz (Aug 1, 2003)

Hi all,

This is my log. Thanks for the help!

Logfile of HijackThis v1.96.0
Scan saved at 2:48:06 PM, on 8/1/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\runservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\devldr32.exe
C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\3dhq Tools\v_ctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\System32\internat.exe
C:\WINNT\System32\RunDLL32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 7\psp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Robin Nicole Schwart\Local Settings\Temporary Internet Files\Content.IE5\M5SBEDI5\winpup32[1].exe
C:\Documents and Settings\Robin Nicole Schwart\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchassistant.iwon.com/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINNT\newones.dll
O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINNT\whattt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINNT\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Excite Private Messenger Pipe] C:\Program Files\Excite\PrvtMsgr\bin\x8IMPipe.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [xv_crtl] C:\Program Files\3dhq Tools\v_ctrl.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
O8 - Extra context menu item: &Google Search - res://C:\WINNT\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINNT\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINNT\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINNT\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINNT\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm_3_1,0,2,5.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/keycrypt/npkxsite.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://bins.whazit.com/trinsic/downloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab


----------



## Flrman1 (Jul 26, 2002)

Hi izzyschwartz

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix Checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Use Custom Search URL = 

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll (file missing)

O2 - BHO: (no name) - {267D5BD3-0DC2-4724-A196-7F4794FBB9EB} - C:\WINNT\newones.dll

O2 - BHO: (no name) - {66F67511-2665-4C34-9E20-FAC2C0954EF2} - C:\WINNT\whattt.dll

O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe

O16 - DPF: {DCF0768D-BA7A-101A-B57A-0000C0C3ED5F} - http://bins.whazit.com/trinsic/downloader.cab

Restart your computer in safe mode and delete:
The C:\WINNT\System32\winpup32.exe file

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.

Now download Spybot here http://spybot.eon.net.au/index.php?...n&page=download if you haven't already got the program.

Install the program and launch it.

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds.
That should remove most of your spy/adware.

Now restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.It will help protect you from future attacks.

Also go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to help prevent it. On this page you will find a link to Javacool's SpywareBlaster. Get it and install it . Be sure to check for udates frequently. These two together will go a long way toward keeping you spyware free.


----------



## kniestedt (Aug 20, 2003)

Hi - New user here. I am trying to figure out what things are, and are not, supposed to be on our computer. We have two hard drives in one pc, so I don't know if the HiJackThis will scan both? But here is a copy of what we have. Could you help in letting us know which are things we can (and should) get rid of? Also, I have another question about the processes that are running when you go into task manager under processes, but I don't know that this is the thread to ask that question...?

Here is a copy of the log from Hijackthis:

Logfile of HijackThis v1.96.1
Scan saved at 7:13:55 PM, on 8/19/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\PCI Audio Applications\Mixer.exe
D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\winpup32.exe
C:\WINNT\MSMGT.exe
C:\Program Files\Xupiter\XupiterStartup2003.exe
C:\Program Files\Xupiter\XTCfgLoader.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\WinZip\WINZIP32.EXE
D:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.online.obee.com/cebank/start.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINNT\host.dll
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINNT\systb.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [dqzelatf] C:\WINNT\System32\dqzelatf.exe
O4 - HKLM\..\Run: [fmazhvzc] C:\WINNT\System32\fmazhvzc.exe
O4 - HKLM\..\Run: [hpxsioqw] C:\WINNT\System32\hpxsioqw.exe
O4 - HKLM\..\Run: [ayvoyhaq] C:\WINNT\System32\ayvoyhaq.exe
O4 - HKLM\..\Run: [qybgqvsj] C:\WINNT\System32\qybgqvsj.exe
O4 - HKLM\..\Run: [sdzovjul] C:\WINNT\System32\sdzovjul.exe
O4 - HKLM\..\Run: [twbppljn] C:\WINNT\System32\twbppljn.exe
O4 - HKLM\..\Run: [uysjqqbo] C:\WINNT\System32\uysjqqbo.exe
O4 - HKLM\..\Run: [lhukdpud] C:\WINNT\System32\lhukdpud.exe
O4 - HKLM\..\Run: [coravyhx] C:\WINNT\System32\coravyhx.exe
O4 - HKLM\..\Run: [huzlibob] C:\WINNT\System32\huzlibob.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\Memory Meter\MemoryMeter.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINNT\MSMGT.exe
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8105/turbo.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8105/payload2.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.com/download/cabs/MPB18106/button.cab
O16 - DPF: {43B70AAD-23F4-4FD8-ADD9-441D8592EEB8} (Snapfish Fix Photo Control) - http://www.snapfish.com/SnapfishImageEditor.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17817348836fdf5f4118/netzip/RdxIE601.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab


----------



## Flrman1 (Jul 26, 2002)

kniestedt

Welcome to TSG!

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.ieplugin.com/search.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.ieplugin.com/search.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.ieplugin.com/search.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.ieplugin.com/search.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.ieplugin.com/q.cgi?q=%s

R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\Program Files\Xupiter\XTSearch.dll

O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - C:\WINNT\host.dll

O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\Program Files\Xupiter\XTUpdate.dll

O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll

O2 - BHO: (no name) - {69135BDE-5FDC-4B61-98AA-82AD2091BCCC} - C:\WINNT\systb.dll (file missing)

O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\Program Files\Xupiter\XupiterToolbar.dll

O4 - HKLM\..\Run: [win32app] C:\WINNT\System32\winpup32.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe

O4 - HKLM\..\Run: [MemoryMeter] C:\Program Files\Memory Meter\MemoryMeter.exe

O4 - HKLM\..\Run: [MSMGT] C:\WINNT\MSMGT.exe

O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe

O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe

O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...B8105/turbo.cab

O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...05/payload2.cab

O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download2.abetterinternet.co...8106/button.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/17817348836fdf...ip/RdxIE601.cab

O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab

O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/ins...erOuter1203.EXE

O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} - http://www.spyblast.com/download/SBFull.cab

______________________________________________

I don't recognize any of these and I cannot find anything on them. I suspect that they are all viral so I suggest you get rid of them if you do not know what they are.

O4 - HKLM\..\Run: [dqzelatf] C:\WINNT\System32\dqzelatf.exe
O4 - HKLM\..\Run: [fmazhvzc] C:\WINNT\System32\fmazhvzc.exe
O4 - HKLM\..\Run: [hpxsioqw] C:\WINNT\System32\hpxsioqw.exe
O4 - HKLM\..\Run: [ayvoyhaq] C:\WINNT\System32\ayvoyhaq.exe
O4 - HKLM\..\Run: [qybgqvsj] C:\WINNT\System32\qybgqvsj.exe
O4 - HKLM\..\Run: [sdzovjul] C:\WINNT\System32\sdzovjul.exe
O4 - HKLM\..\Run: [twbppljn] C:\WINNT\System32\twbppljn.exe
O4 - HKLM\..\Run: [uysjqqbo] C:\WINNT\System32\uysjqqbo.exe
O4 - HKLM\..\Run: [lhukdpud] C:\WINNT\System32\lhukdpud.exe
O4 - HKLM\..\Run: [coravyhx] C:\WINNT\System32\coravyhx.exe
O4 - HKLM\..\Run: [huzlibob] C:\WINNT\System32\huzlibob.exe
____________________________________________________

Restart your computer in safe mode and delete:

The C:\WINNT\System32\winpup32.exe file
The C:\WINNT\wupdt.exe file
the C:\Program Files\Memory Meter folder

Also be sure that in Folder Options > View you have it set to Show hidden files before trying to find and delete the files.

See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for info on how to start in safe mode if you don't know how.

Go here: http://housecall.trendmicro.com/ and do an online virus scan.

Then go here http://spybot.eon.net.au/index.php?lang=en&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how this happens and how to prevent future attacks. 
On this page you will find a link to Javacool's SpywareBlaster. Get it and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster will go a long way toward keeping you spyware free.

Come back here and let us know the outcome of the virus scan.

And post another log.


----------



## kniestedt (Aug 20, 2003)

Either I have no computer skills, or my computer is evil. Or maybe both.

Okay, so I did everything you had said with the HiJackThis and will have the *new* log at the end of this post. But, I was not able to do the online virus check (I kept getting an error message after 95% of the start of it had "loaded" saying something about internet traffic or some such nonsense).

Then tried to load spyware stuff and was able to download but can not install. I get errors for those saying either the file is corrupt and to obtain a new file (tried that) and the other error I have gotten from similar downloads (different names, virtually same product) was that it wasn't a WIN32 product. ARGH! Dumb computers. That's all I have to say (can you tell I am tired, and more than a little frustrated with our pc?)

We've been having problems with this pc for about a year now and have replaced EVERYTHING now that I am aware of. So, when I saw this trojan on here, I thought, HEY! Maybe THIS is part of the problem...

Any suggestions on some next steps? *fingers crossed*

Thank you so much for your help already, and thank you in advance for your guidance. What a great site you have here! Sure wish we would have found this sooner!!!

Here is the new report from HijackThis:

Logfile of HijackThis v1.96.0
Scan saved at 1:14:45 AM, on 8/20/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP3 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\PCI Audio Applications\Mixer.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2002.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra 'Tools' menuitem: IMI (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} - http://www.jasons-toolbox.com/BrowserSecurity/ActiveXTester/ActiveXTester.ocx
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Flrman1 (Jul 26, 2002)

I don't really see anything left in your log.

I am guessing here but I think that all those unknown files (from your first log reposted below) are the source of the problem.

O4 - HKLM\..\Run: [dqzelatf] C:\WINNT\System32\dqzelatf.exe
O4 - HKLM\..\Run: [fmazhvzc] C:\WINNT\System32\fmazhvzc.exe
O4 - HKLM\..\Run: [hpxsioqw] C:\WINNT\System32\hpxsioqw.exe
O4 - HKLM\..\Run: [ayvoyhaq] C:\WINNT\System32\ayvoyhaq.exe
O4 - HKLM\..\Run: [qybgqvsj] C:\WINNT\System32\qybgqvsj.exe
O4 - HKLM\..\Run: [sdzovjul] C:\WINNT\System32\sdzovjul.exe
O4 - HKLM\..\Run: [twbppljn] C:\WINNT\System32\twbppljn.exe
O4 - HKLM\..\Run: [uysjqqbo] C:\WINNT\System32\uysjqqbo.exe
O4 - HKLM\..\Run: [lhukdpud] C:\WINNT\System32\lhukdpud.exe
O4 - HKLM\..\Run: [coravyhx] C:\WINNT\System32\coravyhx.exe
O4 - HKLM\..\Run: [huzlibob] C:\WINNT\System32\huzlibob.exe

I have a couple of suggestions.

First I would try running a virus scan in safe mode. First in normal mode make sure all your virus definitions are up to date and then boot into safe mode and do a scan.

If still no joy I would try locating each of the files above (in safe mode) and rename every one of them. For instance this one C:\WINNT\System32\dqzelatf.exe rename to dqzelatf.old

If that corrects the problem go back and delete those files.
Let me know how it goes.


----------



## gland22 (Aug 20, 2003)

hey i used hijackthis and here's my log...i was wondering if you could tell me exactly what i have to do now? thanks

Logfile of HijackThis v1.96.1
Scan saved at 1:41:17 PM, on 8/20/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\toshiba\ivp\ism\pinger.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\System32\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Fonts\Backup\Msgsrv.exe
C:\WINDOWS\Winsrv.com
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.saddle-creek.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe Winsrv.com
F1 - win.ini: run=Winsrv.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {08351226-6472-43BD-8A40-D9221FF1C4CE} - C:\Program Files\SideStep\SbCIe026.dll
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_20.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 20
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [Winsrv] Winsrv.com
O4 - HKLM\..\Run: [Msgsrv] C:\WINDOWS\Msgsrv.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\RunServices: [Winsrv] Winsrv.com
O4 - HKLM\..\RunServices: [Configuration Loader] iexplore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: SideStep (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1416c4ce06593fa2b202/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002082001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab


----------



## DrMoney (Aug 25, 2003)

I have tried sybot, adaware and others to get rid of this trojan. Could someone look at this hijackthis.log and tell me what I should delete? Thanks.:

Logfile of HijackThis v1.96.2
Scan saved at 12:30:28 PM, on 8/25/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Office97\Office\OSA.EXE
C:\Program Files\Sprint PCS\Download Manager\DLMgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Christine Morant\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=131067
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9885&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srng.net/search/9885/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: HTML Source Editor - {05BBB56A-2A69-4a5c-BFDA-43295DD67434} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\winy.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll (file missing)
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\E2G\IeBHOs.dll
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: (no name) - {65C8C1F5-230E-4DC9-9A0D-F3159A5E7778} - C:\Program Files\POP\pop161.dll (file missing)
O2 - BHO: (no name) - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
O2 - BHO: (no name) - {D48F2E28-68E2-4920-9848-D6E6C7AB3EB7} - C:\Program Files\Common Files\OE\redirector.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Search Toolbar - {702AD576-FDDB-4d0f-9811-A43252064684} - C:\Program Files\Common Files\OE\toolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKLM\..\Run: [win32app] C:\WINDOWS\System32\winpup32.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0a\aoltray.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Office97\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Office97\Office\OSA.EXE
O4 - Global Startup: Sprint PCS Download Manager.lnk = ?
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ClientDownLoad3 - http://www.phonefree.com/download/ClientDownload3.cab
O16 - DPF: DigiChat Applet - http://host.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/aess2.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://mf.hud.gov:63001/CFIDE/classes/CFJava.cab
O16 - DPF: {10000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8106/turbo.cab?id=9109343
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/TURB8106/payload2.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50023/QDow.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521958} - http://www.winaplasmatvnow.com/winy2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2406451f8b4f7c31c700/netzip/RdxIE2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37834.6996296296
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.getweathercast.com/WUInstCAST.cab
O16 - DPF: {E6D5237D-A6C7-4C83-A67F-F9F15586FA62} (SBFullInst Control) - http://www.spyblast.com/download/SBFull.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1F242101-6AA5-43CB-BF65-050C1BDC6BB0}: NameServer = 199.45.32.43 199.45.32.38


----------



## Flrman1 (Jul 26, 2002)

DrMoney

Please go here http://forums.techguy.org/showthread.php?s=&threadid=140111&perpage=&pagenumber=4 to the main page of the Security forum and click on "New Thread" and start your own thread.

ATTENTION!!!!

Anyone who has posted in this thread and has been overlooked or anyone who is about to post in this thread that needs help with a Hijack This log.

Please start your own thread. You will get help quicker. It is always better to start your own thread as these threads that have been going on and on get very confusing and many people get lost in the shuffle. Also many of the techs that come here will be looking for new threads and not likely to see your post buried in here.

I am going to ask the mods to close this thread.


----------



## ~Candy~ (Jan 27, 2001)

http://forums.techguy.org/showthread.php?s=&threadid=159310

Just an FYI, Dr. Money had already........


----------

