|
| ||
| ads234 is driving me NUTS Here is my log: I think! Ads 234 is absolutely driving me insane. Please help! Logfile of HijackThis v1.98.2 Scan saved at 1:47:53 PM, on 11/15/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINNT\System32\CTsvcCDA.EXE C:\DMI\WIN32\bin\DellDmi.exe C:\Program Files\Dell\OpenManage\Client\EventAgt.exe C:\Program Files\Dell\OpenManage\Client\DLT.exe C:\WINNT\System32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\dmi\win32\bin\Win32sl.exe C:\WINNT\System32\MsPMSPSv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\devldr32.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\documents and settings\deanna arceneaux\local settings\temp\4k.exe C:\documents and settings\deanna arceneaux\local settings\temp\OPo.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe C:\PROGRA~1\AIM\aim.exe C:\PROGRA~1\Web Offer\wo.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Deanna Arceneaux\Local Settings\Temporary Internet Files\Content.IE5\BI4RR10D\HijackThis[1].exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://batonrouge.cox.net/cci/home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Deanna Arceneaux\Local Settings\Temp\M5N.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [4k.exe] C:\documents and settings\deanna arceneaux\local settings\temp\4k.exe O4 - HKLM\..\Run: [OPo.exe] C:\documents and settings\deanna arceneaux\local settings\temp\OPo.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O12 - Plugin for .ASP: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...5/sdcregie.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24a8ceaaf39a503...p/RdxIE601.cab O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancestry.com/asfiles/f...l/MFImgVwr.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLcd.CAB O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll |
| ||
| Re: ads234 is driving me NUTS OK- a couple of things first: 1. You are running HijackThis from within a Temp/Temporary folder. As part of the process of cleaning your infections, you are going to delete all data stored in your Temp folders (you have infections lurking in those folders), so you need to move HijackThis into its own separate folder which does not reside within a Temp folder. Put HijackThis in a new folder such as C:\HijackThis or C:\spyware tools\HijackThis. You should also move any other data in your \Local Settings\Temporary Internet Files folder that you might want to keep into their own folders as well. 2. Your log indicates that you had an instance of Internet Explorer open/running when you ran HijackThis: C:\Program Files\Internet Explorer\iexplore.exe HJT cannot perform all of its fixes unless you close all instances of your web browser. 3. After moving HJT to its own folder, do the following (yes it's lengthly, but it will help): A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates. B) Download and run Ad Aware and SpyBot Search & Destroy (download links are in my sig below). Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"): 1. Download and Install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan 2.Close ALL windows except Ad-Aware SE 3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware. 4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window 1) In the ‘General’ window make sure the following are selected in green: *Automatically save log-file *Automatically quarantine objects prior to removal *Safe Mode (always request confirmation) Under Definitions: *Prompt to udate outdated definitions - set the number of days 2) Click on the ‘Scanning’ button on the left and select in green : Under Driver, Folders & Files: *Scan Within Archives Under Select drives & folders to scan - *choose all hard drives Under Memory & Registry: all green *Scan Active Processes *Scan Registry *Deep Scan Registry *Scan my IE favorites for banned URL’s *Scan my Hosts file 3) Click on the ‘Advanced’ button on the left and select in green: Under Shell Integration: *Move deleted files to recycle bin Under Logfile Detail Level: (all green) *include addtional object information *DESELECT - include negligible objects information *include environment information Under Alternate Data Streams: *Don't log streams smaller than 0 bytes *Don't log ADS with the following names: CA_INOCULATEIT 4) Click the ‘Tweak’ button and select in green: Under the ‘Scanning Engine’: *Unload recognized processes during scanning *Scan registry for all users instead of current user only Under the ‘Cleaning Engine’: *Let Windows remove files in use at next reboot Under the Log Files: *Include basic Ad-aware SE settings in logfile *Include additional Ad-aware SE settings in logfile *Please do not check or make green: Include Module list in logfile 5. Click on ‘Proceed’ to save the settings. 6. Click ‘Start’ *Choose:'Perform Full System Scan' *DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat. 7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically. 8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window 9. Save the log file when it asks and then click ‘finish’ 10. REBOOT to complete the removal of what Ad-Aware SE found * Run SpyBot. When you first run SpyBot, it will walk you through a Wizard which will perform a few critical functions (making a registry backup, getting the latest updates, etc.). 1. Perform all of the Wizard's tasks. 2. Run the program. Once it completes, have it fix everything it finds. 3. Reboot. C) Boot into Safe Mode (do this by hitting the F8 key as the computer is booting) and: - Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files". - For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though): 1. Local Settings\Temp 2. Cookies 3. History 4. Local Settings\Temporary Internet Files\Content.IE5 - Delete the entire content of your C:\Windows\Temp folder. (If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.) - Empty your Recycle Bin. - Reboot normally. D) Run HijackThis again and post a fresh log. |
| ||
| Deanna Arceneaux I hope I am replying in the correct place. I followed all instuctions - I hope! Here is my current log: Logfile of HijackThis v1.98.2 Scan saved at 12:14:33 PM, on 11/16/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINNT\System32\CTsvcCDA.EXE C:\DMI\WIN32\bin\DellDmi.exe C:\Program Files\Dell\OpenManage\Client\EventAgt.exe C:\Program Files\Dell\OpenManage\Client\DLT.exe C:\WINNT\System32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\dmi\win32\bin\Win32sl.exe C:\WINNT\System32\MsPMSPSv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\devldr32.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe C:\PROGRA~1\AIM\aim.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WinZip\winzip32.exe C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZSTC09.exe C:\DOCUME~1\DEANNA~1\LOCALS~1\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://batonrouge.cox.net/cci/home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [4k.exe] C:\documents and settings\deanna arceneaux\local settings\temp\4k.exe O4 - HKLM\..\Run: [OPo.exe] C:\documents and settings\deanna arceneaux\local settings\temp\OPo.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O12 - Plugin for .ASP: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...5/sdcregie.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24a8ceaaf39a503...p/RdxIE601.cab O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancestry.com/asfiles/f...l/MFImgVwr.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLcd.CAB O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll |
| ||
| Re: ads234 is driving me NUTS You are still running hijackthis from a temporary folder....be sure to put it in its own permanent folder so it can make the backups in case you need them. :) |
| ||
| Re: ads234 is driving me NUTS 1. Quote:
C:\DOCUME~1\DEANNA~1\LOCALS~1\Temp\HijackThis.exe Create a folder directly under C: called Hijackthis, move HijackThis to that folder, and run it from there from now on. 2. Did you do everything that I suggested earlier? Your new log indicates that you either missed a few steps, or that some of the nasties have recreated themselves (which is entirely possible). The new log also still shows an instance of Internet Explorer (iexplore.exe) running. 3. Once you move HJT to a proper folder, run it again and have it fix the following (make absolutely sure "iexplore.exe" is not listed as a running process): O4 - HKLM\..\Run: [4k.exe] C:\documents and settings\deanna arceneaux\local settings\temp\4k.exe O4 - HKLM\..\Run: [OPo.exe] C:\documents and settings\deanna arceneaux\local settings\temp\OPo.exe O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/...IL/PhPSetup.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24a8ceaaf39a50...ip/RdxIE601.cab The following entries are not malicious, but they're not necessary either; have HJT fix them if you want: O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime 4. Once HJT has completed its fixes, reboot into safe mode again repeat step "C" of my pervious post. 5. Post a new log |
| ||
| Re: ads234 is driving me NUTS I know you must think I am total idiot. I did follow your insturctions to a tea. Each and every step. I thought I ran hi jack this directly from the internet site. I can't find it to move to a permanent folder. Sorry to be such a pain. |
| ||
| Re: ads234 is driving me NUTS If need be, you can download a new copy of HJT from this site: http://www.majorgeeks.com/download3155.html |
| ||
| Re: ads234 is driving me NUTS Ok, I tried again! Here is my newest log! Thanks!!!!!!!!!!!!!!!!! Logfile of HijackThis v1.98.2 Scan saved at 10:16:30 AM, on 11/17/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINNT\System32\CTsvcCDA.EXE C:\DMI\WIN32\bin\DellDmi.exe C:\Program Files\Dell\OpenManage\Client\EventAgt.exe C:\Program Files\Dell\OpenManage\Client\DLT.exe C:\WINNT\System32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\dmi\win32\bin\Win32sl.exe C:\WINNT\System32\MsPMSPSv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\devldr32.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe C:\PROGRA~1\AIM\aim.exe C:\Program Files\D-Link AirPlus\AirPlus.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\PROGRA~1\WinZip\winzip32.exe C:\DOCUME~1\DEANNA~1\LOCALS~1\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://batonrouge.cox.net/cci/home R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.EXE startup O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [4k.exe] C:\documents and settings\deanna arceneaux\local settings\temp\4k.exe O4 - HKLM\..\Run: [OPo.exe] C:\documents and settings\deanna arceneaux\local settings\temp\OPo.exe O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe O4 - Global Startup: D-Link AirPlus.lnk = C:\Program Files\D-Link AirPlus\AirPlus.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O12 - Plugin for .ASP: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/1...L/PhPSetup.cab O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...5/sdcregie.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/24a8ceaaf39a503...p/RdxIE601.cab O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://images.ancestry.com/asfiles/f...l/MFImgVwr.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLcd.CAB O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll |
| ||
| Re: ads234 is driving me NUTS You really should but hijackthis in its own folder . ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, please create a folder in My Documents and call it Hijack (or something similar). Then extract hijackthis into the folder you have created and run it from there. The reason for this is that Hijackthis cannot create backup files whilst it is being run from a temporary folder |
| ||
| Re: ads234 is driving me NUTS Try this. Right click on your desktop and select NEW>FOLDER. Rename the folder to hijackthis. Go to where you currently have hijackthis.exe (the one that you used to create the log you posted) and instead of double clicking on it, just left click and hold down the mouse button. Drag the file into the folder you created before and release it into that folder. Run it from that folder and post that log. |
| All times are GMT -4. The time now is 7:48 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC