|
| ||
| Hotoffers.info virus Help! I've tried Hijackthis the new version and this stupid program keeps coming back. I feel so dirty! Here is my log. Thanks in advance for any help you can offer. Logfile of HijackThis v1.99.1 Scan saved at 3:13:19 PM, on 3/9/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\CAPM1RSK.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\netdc.exe C:\WINDOWS\TEMP\q1272325.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE C:\Program Files\eFax Messenger Plus\HotTray.exe C:\Program Files\eFax Messenger Plus\Dllcmd32.exe C:\Program Files\Maximizer\MxAlarm.exe C:\Program Files\Maximizer\MxFinder.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HighCriteria\TotalRecorder\TotalRecorder.exe C:\Program Files\Real\RealOne Player\RealPlay.exe C:\WINDOWS\TEMP\q1272325.exe C:\Program Files\Internet Explorer\iexplore.exe C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/ F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\netdc.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v9\scbar.exe" /H O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Useqif] C:\Program Files\Pkmd\Kztlmt.exe O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Startup: netdb.exe O4 - Startup: winupdate20780482[1].exe O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} (X4 Control) - http://10.83.243.15/XHD.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/086076e1b2e0663...p/RdxIE601.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} (Rm Control) - http://10.83.243.15/RM.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.ca.mbe.com/viewer/activeX...ivexviewer.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C0EB69-5456-45EF-B192-910DDFDDF956}: NameServer = 208.57.0.11,208.57.0.10 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE |
| ||
| Re: Hotoffers.info virus Hi and welcome unabobber. =============== Let's look for, and delete, any program segments(prefetches) that might be present, and are associated with the 'problems' we're trying to remove from this system. To do this, let's: 1) Click "Start | Search", then search for each of these program's base name(s), in all files and folders: netdc.exe* q1272325.exe* 2) Then if any are found in the 'prefetch' folder, delete them. Look closely, since the 'base' name will have a bunch of random numbers and letters attached to it. =============== Run HiJackThis then: 1. Click "Config..." 2. Click "Misc Tools" 3. Click "Open Process manager" - Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following: C:\WINDOWS\System32\netdc.exe C:\WINDOWS\TEMP\q1272325.exe Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain. =============== Run HiJackThis and click "Scan", then check(tick) the following, if present: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/ F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\netdc.exe O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v9\scbar.exe" /H O4 - HKLM\..\Run: [Useqif] C:\Program Files\Pkmd\Kztlmt.exe O4 - HKLM\..\Run: [Setup experation] C:\WINDOWS\svchost.exe O4 - Startup: netdb.exe O4 - Startup: winupdate20780482[1].exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/086076e1b2e066...ip/RdxIE601.cab Now, with all windows closed except HiJackThis, click "Fix checked". =============== Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: folders... C:\Program Files\scbar C:\Program Files\Pkmd files... C:\WINDOWS\System32\netdc.exe C:\WINDOWS\TEMP\q1272325.exe C:\WINDOWS\svchost.exe Search for... netdb.exe winupdate20780482[1].exe ...using "Start | Search...". - Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode". =============== Post back a new log, and let me know how everything goes. |
| ||
| Re: Hotoffers.info virus Thanks for the advice. I found and deleted most of the files. I still seem to have the problem, though. Here's the log. I'm going to reboot and go through the steps one more time. The road to recovery can be a bumpy one. Logfile of HijackThis v1.99.1 Scan saved at 1:23:41 PM, on 3/10/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\CAPM1RSK.EXE C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\explorer.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE C:\Program Files\eFax Messenger Plus\HotTray.exe C:\Program Files\eFax Messenger Plus\Dllcmd32.exe C:\Program Files\Maximizer\MxAlarm.exe C:\Program Files\Maximizer\MxFinder.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} (X4 Control) - http://10.83.243.15/XHD.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} (Rm Control) - http://10.83.243.15/RM.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.ca.mbe.com/viewer/activeX...ivexviewer.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C0EB69-5456-45EF-B192-910DDFDDF956}: NameServer = 208.57.0.11,208.57.0.10 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE |
| ||
| Re: Hotoffers.info virus 1. Have HJT fix this one as well: O16 - DPF: ConferenceRoom Java Client - http://pix.sexyads.net:8080/java/cr.cab 2. You have Security iGuard installed, which is a program of less than perfect reputation, to say the least. I would advise that you uninstall it now. For more information on Security iGuard and other "bogus" anti-spyware products, please visit the following site: http://www.spywarewarrior.com/rogue_anti-spyware.htm |
| ||
| Re: Hotoffers.info virus Thanks for the suggestions. I got rid of those two programs. I still seem to have svchost in the c:\windows\system32 folder and I can't get rid of it even in Safe mode. The popups happen even in safe mode! |
| ||
| Re: Hotoffers.info virus Quote:
|
| ||
| Re: Hotoffers.info virus Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread. |
| ||
| Re: Hotoffers.info virus Quote:
Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "S3TRAY2" = "S3Tray2.exe" ["S3 Graphics, Inc."] "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."] "BluetoothAuthenticationAgent" = "rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent" [MS] "TPHOTKEY" = "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [null data] "BMMGAG" = "RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor" [MS] "BMMLREF" = "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [null data] "TPKMAPMN" = "C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [null data] "TP4EX" = "tp4ex.exe" ["IBM Corporation"] "EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["IBM Corp."] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"] "StorageGuard" = ""c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"] "AVG_CC" = "C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP" ["GRISOFT s.r.o."] "pdfFactory Dispatcher v1" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" ["FinePrint Software, LLC"] "TotalRecorderScheduler" = ""C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"" ["High Criteria inc."] "MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"] "MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"] "MSKAGENTEXE" = "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" ["Networks Associates Technology, Inc"] "MSKDetectorExe" = "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup" ["Networks Associates Technology, Inc."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "Security iGuard" = "C:\Program Files\Security iGuard\Security iGuard.exe" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {16664845-0E00-11D2-8059-000000000000}\(Default) = "ClickCatcher MSIE handler" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\ReGet Shared\Catcher.dll" ["ReGet Software"] {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "DriveLetterAccess" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar4.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"] "{32A9D769-5B55-4a25-9A62-86B5683FE50A}" = "NikonView Drop Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Nikon\NkView6\NkvDropExt.dll" ["Nikon Corporation"] "{1E2CDF40-419B-11D2-A5A1-002018648BA7}" = "AVG Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Grisoft\AVG6\avgse.dll" ["GRISOFT(c)SOFTWARE s.r.o."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."] "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] "{330417E8-EF62-4047-82BE-D8305CEFF572}" = "AMEncShlExt extension" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\amshellext.dll" ["4Musics, Inc."] "{A68865DD-EE3C-4442-9BE9-1BAB2576E3FA}" = "NOMAD Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Creative\Creative NOMAD Jukebox Zen Xtra\NOMAD Explorer\CTJBNS.DLL" ["Creative Technology Ltd"] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS] "{02040CD1-EF11-11D5-BC3F-0003473F5BF0}" = "HotShell Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\eFax Messenger Plus\hotshell.dll" ["j2 Global Communications, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ INFECTION WARNING! "{12345678-0000-0010-8000-00AAFF6D2EA4}" = "Sysctl Desktop Handler" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\systr.dll" [null data] Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "RHA" & "All Users" startup folders: ----------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Canon PC1200 iC D600 iR1200G Status Window" -> shortcut to: "C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE !N" ["CANON INC."] "eFax Tray Menu" -> shortcut to: "C:\Program Files\eFax Messenger Plus\HotTray.exe" ["j2 Global Communications, Inc."] "Live Menu" -> shortcut to: "C:\Program Files\eFax Messenger Plus\Dllcmd32.exe /R /K C:\PROGRA~1\EFAXME~1\HsPfcW32.dll,JSPFCWSetHooking,1,0,0,0" ["j2 Global Communications, Inc."] "MaxAlarm" -> shortcut to: "C:\Program Files\Maximizer\MxAlarm.exe" ["Multiactive Software Inc."] "MaxFinder" -> shortcut to: "C:\Program Files\Maximizer\MxFinder.exe" ["Multiactive Software Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] "NkvMon.exe" -> shortcut to: "C:\Program Files\Nikon\NkView6\NkvMon.exe" ["Nikon Corporation"] "Quicken Scheduled Updates" -> shortcut to: "C:\QUICKENW\bagent.exe" ["Intuit Inc."] Enabled Scheduled Tasks: ------------------------ "McAfee.com Update Check (SOHOEXPRESS-LISA)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"] "McAfee.com Update Check (SOHOEXPRESS-RHA)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" ["McAfee, Inc"] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] "{6FB33EFD-865B-4F4E-9F3C-64B1DC7E19DC}_SOHOEXPRESS_RHA" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{6FB33EFD-865B-4F4E-9F3C-64B1DC7E19DC}_SOHOEXPRESS_RHA"" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."] AVG6 Service, AvgServ, "C:\PROGRA~1\Grisoft\AVG6\avgserv.exe" ["GRISOFT s.r.o"] Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTSvcCDA.EXE" ["Creative Technology Ltd"] IBM PM Service, IBMPMSVC, "C:\WINDOWS\System32\ibmpmsvc.exe" [null data] IPv6 Helper Service, 6to4, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\6to4svc.dll" [MS]} McAfee SpamKiller Server, MskService, "C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe" ["Networks Associates Technology. Inc."] QCONSVC, QCONSVC, "System32\QCONSVC.EXE" [null data] RIP Listener, Iprip, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\iprip.dll" [MS]} Simple TCP/IP Services, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS] WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 34 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 ---------- This report excludes default entries except where indicated. To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. ---------- |
| ||
| Re: Hotoffers.info virus Download the Pocket KillBox Unzip the file to your desktop. Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter the file. C:\WINDOWS\System32\systr.dll Reboot afterwards if the file is successfully deleted. If the file is not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot. Post another hijackthis log and a silent runners log taken after the reboot. |
| ||
| Re: Hotoffers.info virus Quote:
Here is the resulting hijackthis log. Logfile of HijackThis v1.99.1 Scan saved at 9:10:19 AM, on 3/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\IBM\Messages By IBM\ibmmessages.exe C:\Program Files\VERITAS Software\Update Manager\sgtray.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\eFax Messenger Plus\HotTray.exe C:\Program Files\eFax Messenger Plus\Dllcmd32.exe C:\Program Files\Maximizer\MxAlarm.exe C:\Program Files\Maximizer\MxFinder.exe C:\Program Files\Nikon\NkView6\NkvMon.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE C:\WINDOWS\system32\CAPM1RSK.EXE C:\WINDOWS\System32\Ati2evxx.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\CTSvcCDA.EXE C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe C:\Program Files\Symantec\LiveUpdate\AUpdate.exe C:\hijackthis\HijackThis.exe C:\WINDOWS\System32\QCONSVC.EXE C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\MsPMSPSv.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/ R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\System32\SEARCH~1.DLL F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\netdc.exe O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ClickCatcher MSIE handler - {16664845-0E00-11D2-8059-000000000000} - C:\Program Files\Common Files\ReGet Shared\Catcher.dll O2 - BHO: BL Class - {28F65FCB-D130-11D8-BA48-8BE0C49AF370} - C:\WINDOWS\System32\popup_bl.dll O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - C:\Program Files\ReGetDx\iebar.dll O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [pdfFactory Dispatcher v1] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe O4 - Global Startup: Canon PC1200 iC D600 iR1200G Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPM1LAK.EXE O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe O4 - Global Startup: MaxAlarm.lnk = C:\Program Files\Maximizer\MxAlarm.exe O4 - Global Startup: MaxFinder.lnk = C:\Program Files\Maximizer\MxFinder.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar4.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar4.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar4.dll/cmcache.html O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar4.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar4.dll/cmtrans.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab O16 - DPF: {163A949D-2A1F-4B4C-AE46-83D0F59BE189} (X4 Control) - http://10.83.243.15/XHD.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {7EC687F9-9EFB-4FA3-A5BA-197C3461448A} (Rm Control) - http://10.83.243.15/RM.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://www.ca.mbe.com/viewer/activeX...ivexviewer.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{D0C0EB69-5456-45EF-B192-910DDFDDF956}: NameServer = 208.57.0.11,208.57.0.10 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE Here is the Silent Runner log: "Silent Runners.vbs", revision 32, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "S3TRAY2" = "S3Tray2.exe" ["S3 Graphics, Inc."] "SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."] "SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."] "ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."] "BluetoothAuthenticationAgent" = "rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent" [MS] "TPHOTKEY" = "C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [null data] "BMMGAG" = "RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor" [MS] "BMMLREF" = "C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE" [null data] "TPKMAPMN" = "C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe" [null data] "TP4EX" = "tp4ex.exe" ["IBM Corporation"] "EZEJMNAP" = "C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe" ["IBM Corp."] "AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"] "ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."] "ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"] "StorageGuard" = ""c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" ["VERITAS Software, Inc."] "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"] "AVG_CC" = "C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP" ["GRISOFT s.r.o."] "pdfFactory Dispatcher v1" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe" ["FinePrint Software, LLC"] "TotalRecorderScheduler" = ""C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"" ["High Criteria inc."] "MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"] "MCUpdateExe" = "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"] "MSKAGENTEXE" = "C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe" ["Networks Associates Technology, Inc"] "MSKDetectorExe" = "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup" ["Networks Associates Technology, Inc."] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "Security iGuard" = "C:\Program Files\Security iGuard\Security iGuard.exe" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string] {16664845-0E00-11D2-8059-000000000000}\(Default) = "ClickCatcher MSIE handler" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\ReGet Shared\Catcher.dll" ["ReGet Software"] {28F65FCB-D130-11D8-BA48-8BE0C49AF370}\(Default) = "BL Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\popup_bl.dll" [empty string] {5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = "DriveLetterAccess" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar4.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension" -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] |
| All times are GMT -4. The time now is 5:06 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC