I followed all the advise in the above question id 355955 and now I am
at the point of deleting the items from Hijack, I am not sure which to
remove.
Logfile of HijackThis v1.97.7
Scan saved at 12:28:09 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Remote Master\Remote Master.exe
C:\program files\powerstrip\pstrip.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.pccreations.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.alienware.com/mothership.aspx
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IR501 Remote Control] C:\Program Files\Remote
Master\Remote Master.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program
Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
- http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freemanville.local
O17 - HKLM\Software\..\Telephony: DomainName = freemanville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = freemanville.local |
Request for Question Clarification by
aceresearcher-ga
on
24 Jun 2004 13:43 PDT
Hi!
Did you lose your password to your old username?
If so, you can recover it using this page:
https://www.google.com/accounts/ForgotPasswd
Then, if you log in under your old username, you can post this
HijackThis log on the original Question:
http://answers.google.com/answers/threadview?id=355955
Then you will be able to expire or "Cancel" this Question, so that you
don't get charged for the Answer.
ace
|
Clarification of Question by
afreestyle-ga
on
24 Jun 2004 14:03 PDT
Thanks did not know about that.
|
Request for Question Clarification by
aceresearcher-ga
on
24 Jun 2004 14:21 PDT
My apologies, afreestyle.
I thought that you were saying that you were the same Customer as in
http://answers.google.com/answers/threadview?id=355955
If you are not aturnerj-ga, then you will need to get your Answer on this page.
Regards,
aceresearcher
|
Clarification of Question by
afreestyle-ga
on
24 Jun 2004 15:02 PDT
No I am just having the same issue but my HijackThis result are
differnet from aturnerj-ga.
|
Okay, let's take this step-by-step.
You've got at least one nasty vermin -- or the remnants of it -- on
your computer, the "Searchbar" scumware.
I know that you said that you followed the directions in Question
355955, but I'd like you to do the following just to be sure:
Start up AdAware. In the bottom right-hand corner, it should say
"AdAware 6.0 Personal, Build 6.181". Up above, under "Initialization
Status", it should say "Reference file 01R324 22.06.2004 loaded". If
your settings for either of these do not match, click "Check for
updates now". Once the update has completed, if one or both of these
still doesn't match the settings I listed, you may need to uninstall
AdAware, and then download and install the latest version from
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
Once that's installed, be sure to click "Check for updates now" to get
the latest reference files.
Once you have the latest Build and Reference file, try running AdAware
again and remove the recommended items.
Then, start up Spybot Search & Destroy. Pull down the "Help" menu and
select "About". You should see
Spybot Search & Destroy 1.3
Latest detection update: 2004-06-23.
If your settings for either of these do not match, click the "Update"
icon menu on the left-hand side of the screen, and then click on
"Search for Updates" near the top of the page. You'll need to exit
Spybot and restart it to check the "About" information page. If this
doesn't work, you may need to uninstall Spybot, and then download and
install the latest version from
http://www.safer-networking.org/index.php?page=mirrors
Once you have the latest Version and Detection Update, try running
Spybot again and remove the recommended items.
*** IMPORTANT ***
Each time you run Spybot and/or AdAware, be sure to download the
latest updates first!
*****************
Then shut your computer down, restart, run HijackThis! and post the
new log results here.
If you have any Questions about the above information, please post a
Request for Clarification, and I will be glad to see what I can do for
you.
Regards,
aceresearcher |
Request for Answer Clarification by
afreestyle-ga
on
24 Jun 2004 16:06 PDT
I noticed you did not say to turn off system restore before restart of
PC, should this be done?
|
Clarification of Answer by
aceresearcher-ga
on
24 Jun 2004 17:20 PDT
<< I noticed you did not say to turn off system restore before restart
of PC, should this be done? >>
At this point, it's not necessary, but it may be later.
|
Request for Answer Clarification by
afreestyle-ga
on
27 Jun 2004 21:03 PDT
Spybot Errors
Error during check!: Xabot (Ungültiger Datentyp für '') () DSO Exploit:
Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3 DSO Exploit:
Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1801674531-854245398-2146921017-1137\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3 DSO Exploit:
Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3 DSO Exploit:
Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3 DSO Exploit:
Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3 ---
Spybot - Search && Destroy version: 1.3 --- 2004-06-16
Includes\Cookies.sbi 2004-06-16 Includes\Dialer.sbi 2004-06-17
Includes\Hijackers.sbi 2004-06-16 Includes\Keyloggers.sbi 2004-05-12
Includes\LSP.sbi 2004-06-16 Includes\Malware.sbi 2004-06-16
Includes\Revision.sbi 2004-06-16 Includes\Security.sbi 2004-06-16
Includes\Spybots.sbi 2004-06-16 Includes\Tracks.uti 2004-06-16
Includes\Trojans.sbi
HighJackthis Log
|
Request for Answer Clarification by
afreestyle-ga
on
27 Jun 2004 21:04 PDT
HijackThis
Logfile of HijackThis v1.97.7
Scan saved at 9:03:08 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Remote Master\Remote Master.exe
C:\program files\powerstrip\pstrip.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.pccreations.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.alienware.com/mothership.aspx
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IR501 Remote Control] C:\Program Files\Remote
Master\Remote Master.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program
Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
- http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freemanville.local
O17 - HKLM\Software\..\Telephony: DomainName = freemanville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = freemanville.local
|
Clarification of Answer by
aceresearcher-ga
on
29 Jun 2004 10:33 PDT
Run HijackThis! again, checkmark this item, and have HJT remove it:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\SearchBar.htm
Then reboot your computer in safe mode. Symantec has a great
instruction page on Starting your computer in Safe mode:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
Then, follow Symantec's instructions on How to show hidden files and
protected operating system files in Windows:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/20020927152623
Then delete this folder:
c:\Program Files\Toolbar
Restart your computer and see if this has solved your SearchBar
problem. Please post a Clarification here letting me know whether this
has done the trick for you.
Thanks,
ace
|
Request for Answer Clarification by
afreestyle-ga
on
01 Jul 2004 11:08 PDT
c:\Program Files\Toolbar
This folder is not present in safe mode nor regular mode.
I have followed all the instructions to a "t".
|
Clarification of Answer by
aceresearcher-ga
on
01 Jul 2004 11:35 PDT
Okay, if you haven't already rebooted your computer, please do so,
then run HijackThis again and post your new log here.
|
Request for Answer Clarification by
afreestyle-ga
on
01 Jul 2004 12:15 PDT
Logfile of HijackThis v1.97.7
Scan saved at 12:14:45 PM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Remote Master\Remote Master.exe
C:\program files\powerstrip\pstrip.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Download\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.pccreations.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.alienware.com/mothership.aspx
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IR501 Remote Control] C:\Program Files\Remote
Master\Remote Master.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program
Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
- http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freemanville.local
O17 - HKLM\Software\..\Telephony: DomainName = freemanville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = freemanville.local
|
Clarification of Answer by
aceresearcher-ga
on
01 Jul 2004 13:46 PDT
Are you currently experiencing any negative symptoms or behavior on your computer?
If so, what are they?
Thanks,
ace
|
Request for Answer Clarification by
afreestyle-ga
on
01 Jul 2004 14:27 PDT
Popups and minimized windows the say stuff like "media18.fastclick"
when you try to expand the windows does nothing, so the only option is
to right click and close.
|
Clarification of Answer by
aceresearcher-ga
on
01 Jul 2004 14:29 PDT
Fastclick popups are typically from sites that you visit.
Are you currently running any ad-blocking or popup-blocking software?
|
Request for Answer Clarification by
afreestyle-ga
on
01 Jul 2004 15:02 PDT
When I clicked on the link from Outlook to go to your reply. I got a
popup for University of Phoenix.
Right clicked popup and selected properties
http://cdn2.adsdk.com/CDN/63655/GradFamilySouthernCaliforni720x300.gif
I am running spybot, adaware, spywareblaster, and google toolbar.
|
Clarification of Answer by
aceresearcher-ga
on
01 Jul 2004 17:21 PDT
Have you checked with Microsoft lately to be sure that you have
installed any critical new security-related Windows pdate patches that
have been released?
You can find out if there are any available by going here:
http://v4.windowsupdate.microsoft.com/en/default.asp
Install any critical patches it may tell you that you need. Then
reboot your computer.
Download, install, and run CoolWebShredder (scroll down to find it):
http://www.spywareinfo.com/~merijn/downloads.html
Then reboot, run HijackThis again, and post the HJT log here.
|
Request for Answer Clarification by
afreestyle-ga
on
05 Jul 2004 13:42 PDT
I did as instructed. All critical patches were applied. I ran
CWShredder it found one thing one the first pass, I could not see what
it was due to the fact that the program crashed. I rebooted the system
and ran CWShredder again it stated system was clean. I also updated
Adaware to 7/5/04 and ran again it only found cookies.
Logfile of HijackThis v1.97.7
Scan saved at 1:31:07 PM, on 7/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Remote Master\Remote Master.exe
C:\program files\powerstrip\pstrip.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\userinit.exe
C:\Download\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.pccreations.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.alienware.com/mothership.aspx
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O2 - BHO: SpoofStick BHO - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} -
C:\Program Files\CoreStreet\SpoofStick\SpoofStick.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IR501 Remote Control] C:\Program Files\Remote
Master\Remote Master.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program
Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program
Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: @btrez.dll,-4015 (HKLM)
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.alienware.com/mothership.aspx
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
- http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = freemanville.local
O17 - HKLM\Software\..\Telephony: DomainName = freemanville.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = freemanville.local
|
Clarification of Answer by
aceresearcher-ga
on
07 Jul 2004 08:39 PDT
afreestyle,
I'm doing a little research on your Question, and will post another
Clarification soon.
Thanks,
ace
|
Clarification of Answer by
aceresearcher-ga
on
09 Jul 2004 13:12 PDT
It looks to me as though the remaining processes are all processes you
chose to install -- although the fact that there are so many of them
is likely degrading your computer's performance. Several of them
probably don't need to run at Startup, if they aren't used that often
and you're willing to click an icon to start them when they are
needed. It's also possible that one of them has snuck adware into
their executable in exchange for a tidy kickback from an adserver
company.
Try changing your home page to whatever you'd like it to be. Shut down
and restart your computer, and see if your home page is still that
page, or if it has changed back to SearchBar.
|
,
1 Comment
)
