 |  |  |  |  |  |  |  |
ACTIVE X virus? 2 in network infected
 |
The only 2 workstations on my network running WIN 2000 have contracted some sort of nasty. Here are the HJT logs.
COMPUTER A
Logfile of HijackThis v1.99.1
Scan saved at 9:45:31 AM, on 2/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\system32\E_SDA104.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
c:\winnt\system32\vert\palsp.exe
C:\WINNT\shch.exe
C:\Program Files\Preview AdService\PrevAdServ.exe
C:\WINNT\system32\hub132.exe
C:\WINNT\system32\xxtra32.exe
C:\WINNT\system32\serogmsg.exe
C:\Program Files\Preview AdService\PrevAdKeep.exe
c:\winnt\system32\vert\wshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ES_AGENT] C:\WINNT\system32\E_SDA104.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [alter service] hub132.exe
O4 - HKLM\..\Run: [element furth] c:\winnt\system32\vert\repcale.exe c:\winnt\system32\vert\palsp.exe
O4 - HKLM\..\Run: [mark the service] xxtra32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitehwl32.exe
O4 - HKLM\..\Run: [clfmon] C:\WINNT\clfmon.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\RunServices: [alter service] hub132.exe
O4 - HKLM\..\RunServices: [mark the service] xxtra32.exe
O4 - HKCU\..\Run: [alter service] hub132.exe
O4 - HKCU\..\Run: [mark the service] xxtra32.exe
O4 - HKCU\..\Run: [IBvpRhZti] serogmsg.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV04.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.pcpitstop.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c7.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
COMPUTER B
Logfile of HijackThis v1.99.1
Scan saved at 2:40:11 PM, on 2/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINNT\system32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Vista\vs4run.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: (no name) - {18058D25-81D6-607F-E823-C2D73BC536CB} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Startup: Macro Scheduler.lnk = C:\Program Files\MJT Net Ltd\Macro Scheduler\msched.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c11.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2190602b...p/RdxIE601.cab
O16 - DPF: {58F0B492-A42E-435A-BCBF-C6B2608077BA} - http://ak.imgfarm.com/images/nocache...tup1.0.0.7.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3944AE67-CB7D-43AD-9B2C-7D773D05DD00}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.223
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3944AE67-CB7D-43AD-9B2C-7D773D05DD00}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.223
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3944AE67-CB7D-43AD-9B2C-7D773D05DD00}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.223
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PSEXESVC - Sysinternals - C:\WINNT\System32\PSEXESVC.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE
COMPUTER A
Logfile of HijackThis v1.99.1
Scan saved at 9:45:31 AM, on 2/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\system32\E_SDA104.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
c:\winnt\system32\vert\palsp.exe
C:\WINNT\shch.exe
C:\Program Files\Preview AdService\PrevAdServ.exe
C:\WINNT\system32\hub132.exe
C:\WINNT\system32\xxtra32.exe
C:\WINNT\system32\serogmsg.exe
C:\Program Files\Preview AdService\PrevAdKeep.exe
c:\winnt\system32\vert\wshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ES_AGENT] C:\WINNT\system32\E_SDA104.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [alter service] hub132.exe
O4 - HKLM\..\Run: [element furth] c:\winnt\system32\vert\repcale.exe c:\winnt\system32\vert\palsp.exe
O4 - HKLM\..\Run: [mark the service] xxtra32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitehwl32.exe
O4 - HKLM\..\Run: [clfmon] C:\WINNT\clfmon.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\RunServices: [alter service] hub132.exe
O4 - HKLM\..\RunServices: [mark the service] xxtra32.exe
O4 - HKCU\..\Run: [alter service] hub132.exe
O4 - HKCU\..\Run: [mark the service] xxtra32.exe
O4 - HKCU\..\Run: [IBvpRhZti] serogmsg.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV04.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.pcpitstop.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c7.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
COMPUTER B
Logfile of HijackThis v1.99.1
Scan saved at 2:40:11 PM, on 2/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Expertcity\GoToMyPC\g2svc.exe
C:\Program Files\Norton Utilities\NProtect.exe
C:\Program Files\Expertcity\GoToMyPC\g2comm.exe
C:\Program Files\Expertcity\GoToMyPC\g2pre.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Expertcity\GoToMyPC\g2tray.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINNT\system32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\WinFax\WFXMOD32.EXE
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wfxsnt40.exe
C:\WINNT\SM1BG.EXE
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinFax\WFXCTL32.EXE
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Vista\vs4run.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: (no name) - {18058D25-81D6-607F-E823-C2D73BC536CB} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINNT\SM1BG.EXE
O4 - HKLM\..\Run: [TotalRecorderScheduler] C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Startup: Macro Scheduler.lnk = C:\Program Files\MJT Net Ltd\Macro Scheduler\msched.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c11.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2190602b...p/RdxIE601.cab
O16 - DPF: {58F0B492-A42E-435A-BCBF-C6B2608077BA} - http://ak.imgfarm.com/images/nocache...tup1.0.0.7.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3944AE67-CB7D-43AD-9B2C-7D773D05DD00}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.223
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3944AE67-CB7D-43AD-9B2C-7D773D05DD00}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.223
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3944AE67-CB7D-43AD-9B2C-7D773D05DD00}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.223
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PSEXESVC - Sysinternals - C:\WINNT\System32\PSEXESVC.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE
•
•
Join Date: Aug 2003
Posts: 9,541
Reputation: 
Solved Threads: 492
Computer B
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !
R3 - URLSearchHook: (no name) - {18058D25-81D6-607F-E823-C2D73BC536CB} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
This one is optional ,not need in startup ,rescource hog.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
These 2 016s' for sure ,but i recommend you fix all 016s'just to be sure as the good ones will download again when you revisit the site .
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c11.cab
-Blazefind Windupdates Adware
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2190602...ip/RdxIE601.cab
-Netster
O16 - DPF: {58F0B492-A42E-435A-BCBF-C6B2608077BA} - http://ak.imgfarm.com/images/nocach...etup1.0.0.7.cab
reboot computer and post a new log
EDIT:
Computer A ,has alot more ,and will need quite a bit more work than computer B
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !
R3 - URLSearchHook: (no name) - {18058D25-81D6-607F-E823-C2D73BC536CB} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
This one is optional ,not need in startup ,rescource hog.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
These 2 016s' for sure ,but i recommend you fix all 016s'just to be sure as the good ones will download again when you revisit the site .
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c11.cab
-Blazefind Windupdates Adware
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2190602...ip/RdxIE601.cab
-Netster
O16 - DPF: {58F0B492-A42E-435A-BCBF-C6B2608077BA} - http://ak.imgfarm.com/images/nocach...etup1.0.0.7.cab
reboot computer and post a new log
EDIT:
Computer A ,has alot more ,and will need quite a bit more work than computer B
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
Join Date: Aug 2003
Posts: 9,541
Reputation:
Solved Threads: 492
I syggest This to start with for computer A !
,,,,,,,,,,,,,,,,,,,,,
Go
Here and Get Trojan-Hunter Fully working trial! and run a full scan
,,,,,,,,,,,,,,,,,,,,,
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.
Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.
,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.
CWShredder available from these places :-
http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads...CWShredder.exe
We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from :-
HERE
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT
First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot
Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.
Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware
Then post a HJT log as a reply to this topic.
,,,,,,,,,,,,,,,,,,,,,
Go
Here and Get Trojan-Hunter Fully working trial! and run a full scan
,,,,,,,,,,,,,,,,,,,,,
Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.
Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.
,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.
CWShredder available from these places :-
http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads...CWShredder.exe
We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from :-
HERE
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT
First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot
Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.
Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware
Then post a HJT log as a reply to this topic.
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Computer A
These are "Nasty":
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c7.cab
Do you know the IP or Domain '209.12.79.2,63.84.206.2,67.103.22.222'?
Caperjack didnt mention this I don't think. But for the O4 files you have to delete those files by going to that file.
Also CaperJack Microsoft AntiSpyware works just as well as Ad-Aware.
These are "Nasty":
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c7.cab
Do you know the IP or Domain '209.12.79.2,63.84.206.2,67.103.22.222'?
Caperjack didnt mention this I don't think. But for the O4 files you have to delete those files by going to that file.
Also CaperJack Microsoft AntiSpyware works just as well as Ad-Aware.
PETA People for the Eating of Tasty Animals.
FireFox
Hijack This
Ad-Aware
Hijack this tutorial
Microsoft AntiSpyware
CompUchat
FireFox
Hijack This
Ad-Aware
Hijack this tutorial
Microsoft AntiSpyware
CompUchat
•
•
Join Date: Aug 2003
Posts: 9,541
Reputation:
Solved Threads: 492
•
•
•
•
Originally Posted by OurNation
Computer A
These are "Nasty":
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c7.cab
Do you know the IP or Domain '209.12.79.2,63.84.206.2,67.103.22.222'?
Caperjack didnt mention this I don't think. But for the O4 files you have to delete those files by going to that file.
Also CaperJack Microsoft AntiSpyware works just as well as Ad-Aware.
I agree about microsofts program but its Beta and i don't recomend Beta program ,but if anyone wants to use please do ,I do !!
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
anyway this is what i find bad in computer A ,if any of this remains after running recomended program fix it .
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [alter service] hub132.exe
O4 - HKLM\..\Run: [element furth] c:\winnt\system32\vert\repcale.exe c:\winnt\system32\vert\palsp.exe
O4 - HKLM\..\Run: [mark the service] xxtra32.exe
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitehwl32.exe
O4 - HKLM\..\Run: [clfmon] C:\WINNT\clfmon.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINNT\shch.exe /i
O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\RunServices: [alter service] hub132.exe
O4 - HKLM\..\RunServices: [mark the service] xxtra32.exe
O4 - HKCU\..\Run: [alter service] hub132.exe
O4 - HKCU\..\Run: [mark the service] xxtra32.exe
O4 - HKCU\..\Run: [IBvpRhZti] serogmsg.exe
again this is optional.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Same here as in computer B, one is bad for sure but fix all to be safe .
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c7.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
Now reboot into safe mode and delete the following files and folders if found .
hub132.exe,,,,,,,delete file
c:\winnt\system32\vert\,,,,,,,delete Folder
xxtra32.exe,,,,,,,delete file
C:\winnt\system32\elitehwl32.exe
C:\WINNT\clfmon.exe,,,,,,,delete file
C:\WINNT\shch.exe ,,,,,,,delete file
C:\Program Files\Preview AdService\,,,,,,,delete Folder
c:\temp\salm.exe,,,,,,,delete file
serogmsg.exe,,,,,,,delete file
to delete the above files and folder you will need to do the following
go to
Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode
reboot computer and post a new log
Linux boot cd http://www.knopper.net/knoppix/index-en.html
You guys are wonderful! I got all but 6. I have posted those messages at my site http://www.kdtos.com/computer_a.htm
We are operational on Computer A now though I am sure some nasties still linger. Here is the latest log.
Computer A
Logfile of HijackThis v1.99.1
Scan saved at 10:59:21 AM, on 2/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\system32\E_SDA104.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ES_AGENT] C:\WINNT\system32\E_SDA104.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV04.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.pcpitstop.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c7.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
How does she look?
We are operational on Computer A now though I am sure some nasties still linger. Here is the latest log.
Computer A
Logfile of HijackThis v1.99.1
Scan saved at 10:59:21 AM, on 2/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\system32\crypserv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINNT\system32\E_SDA104.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ES_AGENT] C:\WINNT\system32\E_SDA104.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(4).lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV04.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.pcpitstop.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do.../bridge-c7.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares/...sb_regular.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PPC2.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{3BA33C59-36F6-4057-933C-3905CF43C344}: NameServer = 209.12.79.2,63.84.206.2,67.103.22.222
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINNT\SYSTEM32\crypserv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
How does she look?
•
•
Join Date: Aug 2003
Posts: 9,541
Reputation:
Solved Threads: 492
Fix this !
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
The ip address inthe 017 ,is it yours ,a search says it this.reconise it .
Search results for: 209.12.79.2,63.84
e.spire Communications, Inc. ESPIRE-3BL (NET-209-12-0-0-1)
209.12.0.0 - 209.12.255.255
Inflexion Communications Corporation INFLEX-200403040825347 (NET-209-12-79-0-1)
209.12.79.0 - 209.12.79.255
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
The ip address inthe 017 ,is it yours ,a search says it this.reconise it .
Search results for: 209.12.79.2,63.84
e.spire Communications, Inc. ESPIRE-3BL (NET-209-12-0-0-1)
209.12.0.0 - 209.12.255.255
Inflexion Communications Corporation INFLEX-200403040825347 (NET-209-12-79-0-1)
209.12.79.0 - 209.12.79.255
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
Join Date: Aug 2003
Posts: 9,541
Reputation:
Solved Threads: 492
looked at the error messages on you site ,you should be able to delete those files in safe mode and maybe run spybot there as well .
hit f8 on bootup to get to safe mode .
hit f8 on bootup to get to safe mode .
Linux boot cd http://www.knopper.net/knoppix/index-en.html
You should fix this one with hijackthis too:
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c7.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...e/bridge-c7.cab
Links to help you help yourself :
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
Protect Your PC & Avoid Infections -- http://www.daniweb.com/techtalkforums/thread27519.html
Cleanup Procedures & Tools -- http://www.daniweb.com/techtalkforums/thread27570.html
Infection Removal & HijackThis Use -- http://www.daniweb.com/techtalkforums/thread28196.html
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Generic Host Process for Win32 Services
- Next Thread: XP SP2 Freezing upon opening new explorer/Internet excplorer windows
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email exam exploit facebook fancheckvirus gaming gtaiv gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update virus viruses vista war warning windows worm yahoo zeroday
